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Security is a fast-growing area of computer science, with increasing relevance 
to real-life applications such as Internet transactions and electronic commerce. 
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the “International School on Foundations of Security Analysis and Design” 
(FOSAD) that is held annually at the Residential Gentre of the University of 
Bologna in Bertinoro, with the goal of disseminating knowledge in this critical 
area, especially for participants coming from less-favored and non-leading coun- 
tries. The Residential Genter (see http://www.centrocongressibertinoro.it/) is a 
former convent and episcopal fortress that has been transformed into a modern 
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The first edition of this school (FOSAD 2000) was very successful and the 
collection of tutorial lectures was published in Springer LNGS volume 2171. This 
second volume collects some of the tutorials given at the two successive schools 
(FOSAD 2001 and FOSAD 2002) that attracted many participants from all over 
the world. 
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Abstract. The formalisation of security properties for computer sys- 
tems raises the problem of overcoming also in a formal setting the classi- 
cal view according to which confidentiality is an absolute property stating 
the complete absence of any unauthorised disclosure of information. In 
this paper, we present two formal models in which the notion of noninter- 
ference, which is at the basis of a large variety of security properties de- 
fined in the recent literature, is approximated. To this aim, the dehnition 
of indistinguishability of process behaviour is replaced by a similarity no- 
tion, which introduces a quantitative measure e of the behavioural differ- 
ence among processes. The first model relies on a programming paradigm 
called Probabilistic Concurrent Constraint Programming, while the sec- 
ond one is presented in the setting of a probabilistic process algebra. In 
both models, appropriate notions of distance provide information (the e) 
on the security level of the system at hand, in terms of the capability of 
an external observer of identifying illegal interferences. 



1 Introduction 

The exact estimation of properties of computer systems is a problem that was 
widely and successfully attacked via several different formal approaches (see, e.g., 
[CT02,BHK01,HHHMR94,HS95,Hil96,BDG98,Ber99,BB00,Bra02]). However, a 
number of factors make the use of approximation techniques necessary to en- 
hance the reliability of “exact” solutions obtained through the formal analysis 
of the mathematical model of a real, complex system. On the one hand, the 
confidence we can have in the answers computed by a software tool, which are 
delivered with certainty, strictly depends on the likelihood of obtaining precise 
information needed to formally specify the system at hand. On the other hand, 
even when such information is exact, the results of the mathematical analysis 
definitely assert that the considered property is or is not satisfied by the sys- 
tem model, while in practice it often happens that a system that approximately 
behaves like a perfect one is not only acceptable but also the only possible im- 
plementation. In practice, in a realistic scenario, a qualitative binary answer to 
the classical question “does the system satisfy my property?” is too restrictive 
and, in many cases, not significant. 
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In this work, we concentrate on formal techniques that employ probabilistic 
information to give a quantitative answer to the kind of question above in the 
restricted framework of security properties. Indeed, the motivations surveyed 
above apply also to the problem of verifying the security requirements of real 
systems. It is well-accepted that the unauthorised disclosure of confidential infor- 
mation cannot be completely avoided in real, complex systems, where typically 
the interplay between the portion of the system handling secrets and the other 
components that instead manage public information is more tight than that we 
expect [RMMGOl]. In practice, part of the information flowing through the sys- 
tem cannot be controlled, and a portion of such an unavoidable information flow 
is sometimes illegal, in the sense that it reveals confidential data to unauthorised 
users. In such a case, the goal of the designer consists of minimising the illegal 
information leakage, and, as a consequence, the aim of the analyst must be the 
provision of an approximated estimation of such an information leakage. As a 
simple, real example, consider a password-based authentication system, like, e.g., 
an automatic teller machine. It is trivial to verify that absolute secrecy cannot 
be guaranteed. In fact, a brute-force based attack has the possibility, even if neg- 
ligible, of guessing the password, thus violating the secrecy requirements. The 
analysis of such a kind of system is beyond the scope of possibilistic information 
flow techniques, which reject programs that do not guarantee absolute secrecy. 
A more interesting analysis should state that a potential information leakage is 
not troubling. From a quantitative viewpoint, this corresponds to verify whether 
or not the probability of detecting a potential illegal information flow is beyond 
a threshold for which the observer considers the system to be secure “enough” . 
In case of the automatic teller machine, the probability of cracking the system 
depends on the length of the password and on the number of attempts at dis- 
posal of the attacker. By playing on these parameters, the designer can limit to 
a negligible (as desired) value the probability of accessing the system without 
knowing the appropriate password. 

The approach to information flow analysis we consider is based on the idea 
of noninterference, originally proposed in [GM82], which states that “one group 
of users, using a certain set of commands, is noninterfering with another group 
of users if what the first group does with those commands has no effect on what 
the second group of users can see” . In a security context, the first group is repre- 
sented by the high-level users, which execute confidential, secret activities, while 
the second group is given by the low-level users, which instead see public data 
only. The intuition is that the low-level view of the system to be analysed is 
not to be altered by the behaviour of the high-level users. If this is the case, 
we say that any covert channel cannot be set up from the high level to the 
low level. The verification of the condition above is based on the idea of indis- 
tinguishability of behaviours: in order to establish that there is no information 
flow between a high-level component H and a low-level object L, it is sufficient 
to check if for any pair of behaviours of the system that differ only in H's be- 
haviour, Us observations cannot distinguish these two behaviours. Depending on 
the nature of the information flow, an external observer can characterise differ- 
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ent kinds of interference, due, e.g., to the deterministic, nondeterministic, timed, 
or probabilistic behaviour of the system. In particular, possibilistic noninterfer- 
ence for nondeterministic programs is weaker than probabilistic noninterference, 
which helps to reveal those covert channels that arise from the analysis of the 
frequency of the possible observations in several consecutive executions of the 
system [Gra90,McL90]. Consider, e.g., a program P that handles pin numbers 
needed to access the automatic teller machine mentioned above. At a certain 
point of the execution, the following statement is executed: 

low .variable := PIN^ +’^ rand(9999) 

where -1-^ is a probabilistic choice operator that selects the left-hand command 
(which assigns a secret pin to a public, low variable) with probability p and the 
right-hand command (which assigns a random value from the range [0 . . . 9999] to 
the low variable) with probability 1 — p. According to a purely nondeterministic 
behaviour, the program above is secure, since the set of possible outcomes does 
not change depending on which command will be executed. However, statistical 
inferences derived from the relative frequency of outcomes of repeated executions 
of the program allow an external observer to disclose the secret pin with a 
confidence that depends on the number of executed experiments. 

Probabilistic noninterference also offers the means for approximating nonin- 
terference properties, by quantifying the real effectiveness of each possibilistic 
covert channel. More precisely, the key idea of an approach based on probabilistic 
noninterference is to replace the notion of indistinguishability by an appropriate 
notion of similarity. For instance, consider again program P and assume that 
parameter p is a value very close to 0. Obviously, the behaviour of P is not the 
same as that of the following secure program P’: 

low .variable := rand(9999) 

since if we execute “infinitely often” both programs, then the limit of the fre- 
quencies of the possible outcomes allow the observer to distinguish P from P’. 
However, in practice we have that P and P’ are similar and the probability of 
distinguishing the two programs is still negligible even after a large number n of 
experiments. In other words, P is considered to be an acceptable approximation 
of a secure program. As a result of an approach that replaces the restrictive idea 
of indistinguishability by a relaxed, more realistic notion of similarity, we can 
accept as secure systems a number of programs that somehow suffer from an 
information leakage but in practice offer sufficient security guarantees. 

In this work, we survey two semantics-based security models (i.e., models 
that analyse the program behaviour to verify security properties) in which the 
notion of noninterference is approximated in the sense that they allow for some 
exactly quantified information leakage. The first one formalises such an approach 
in the context of a particular probabilistic declarative language, while the second 
one is based on a probabilistic process algebraic framework. 

Language-based formalisms provide a suitable framework for analysing the 
confidentiality properties of real, complex computing systems. Particularly pro- 
mising is the use of program semantics and analysis for the specification of 
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information-flow policies and information-flow controls which guarantee data 
confldentiality (see, e.g., [SM03] for a survey). 

On the other hand, process algebras provide all the main ingredients needed 
to specify and analyse noninterference properties of computer systems (see, e.g., 
the several process algebraic approaches described in [FGOl]). They are designed 
with the aim of describing concurrent systems that may interact through the 
exchange of messages, so that they can be used to naturally express each infor- 
mation flow occurring within the system to be modeled. They deal with both 
nondeterminism and, as we will focus in this work, probability, so that several 
kinds of information leakage can be revealed. They also deal in an elegant way 
with abstraction thanks to the hiding operator, which can be used to specify the 
observational power of each external observer, depending on the security level of 
such an observer. Last but not least, there exists a strong, natural similarity be- 
tween the notion of indistinguishability for processes and semantic equivalences 
over process algebraic terms. 

In the following (Sect. 2), we first introduce the language-based approach 
by presenting a formalisation of a noninterference property called confinement 
together with its probabilistic and approximated versions in the setting of the 
probabilistic programming language PCCP (Probabilistic Concurrent Constraint 
Programming) [DW98a,DW98b]. In this language nondeterminism is completely 
replaced by probabilistic choice, which makes it possible to develop a statisti- 
cal interpretation of the approximation of the security property. Moreover, the 
different role played by variables in imperative and constraint programming hin- 
ders a direct translation of previous formalisation of noninterference based on the 
imperative paradigm into the PCCP setting, where a more appropriate notion 
must consider process identity rather than variables values. 

Then (Sect. 3), we introduce a process algebraic framework for approximating 
probabilistic noninterference [ABC03]. The basic calculus integrates the charac- 
teristics of the classical CCS [Mil89] and CSP [Hoa85] and employs the prob- 
abilistic model introduced in [BA03], which is a mixture of the reactive and 
generative models of probability [GSS95]. Such an approach permits the mod- 
eler to specify both nondeterministic behaviour and probabilistic information 
in the same system model. The behavioural equivalence of process expressions 
is defined in terms of weak probabilistic bisimulation [BH97], a probabilistic 
extension of the classical weak bisimulation by Milner [Mil89]. Moreover, the 
behavioural similarity among processes is defined in terms of a relation called 
weak probabilistic bisimulation with er-precision, an approximated version of the 
weak probabilistic bisimulation, where s provides information on “how much” 
two behaviours differ from each other. 

Finally (Sect. 4), some conclusions and comments about related work termi- 
nate the paper. 
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2 Language-Based Approach to Noninterference 

2.1 Probabilistic Concurrent Constraint Programming 

Probabilistic Concurrent Constraint Programming (PCCP) [DW98a,DW98b] 
is a probabilistic version of the Concurrent Constraint Programming (CCP) 
paradigm [SRP91,SR90]. This can be seen as a kind of process algebra enhanced 
with a notion of computational state. More precisely, CCP as well as PCCP 
are based on the notion of a generic constraint system C, defined as a cylindric 
algebraic complete partial order (see [SRP91,dDP95] for more details), which 
encodes the information ordering. This is referred to as the entailment relation 
h and is sometimes denoted by □. A cylindric constraint system includes con- 
straints of the form (cylindric elements) to model hiding of local variables, 
and constraints of the form dxy (diagonal elements) to model parameter passing. 
The axioms of the constraint system include laws from the theory of cylindric 
algebras [HMT71] which model the cylindrification operators 3^ as a kind of 
first-order existential quantifiers, and the diagonal elements d^y as the equality 
between x and y. 



Table 1. The Syntax of PCCP Agents 



A :: 


= tell(c) 


adding a constraint 




ask(ci) -s- Pi 


: Ai probabilistic choice 




ll?=i qi ■■ Ai 


prioritised parallelism 






hiding, local variables 




p(x) 


procedure call, recursion 



In PCCP probability is introduced via a probabilistic choice and a form 
of probabilistic parallelism. The former replaces the nondeterministic choice of 
CCP, while the latter replaces the pure nondeterminism in the interleaving se- 
mantics of CCP by introducing a probabilistic scheduling. This allows us to 
implement mechanisms for differentiating the relative advancing speed of a set 
of agents running in parallel. 

The concrete syntax of a PCCP agent A is given in Table 1, where c and Ci 
are finite constraints in C, and Pi and qi are real numbers representing proba- 
bilities. Note that at the syntactic level no restrictions are needed on the values 
of the numbers pi and qp, as explained in the next section, they will be turned 
into probability distributions by a normalisation process occurring during the 
computation. The meaning of p(x) is given by a procedure declaration of the 
form p{y ) : —A, where y is the formal parameter. We will assume that for each 
procedure name there is at most one definition in a fixed set of declarations (or 
program) P. 
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2.2 Operational Semantics 



The operational model of PCCP can be intuitively described as follows. All 
processes share a common store consisting of the least upper bound, denoted by 
U, (with respect to the inverse C of the entailment relation) of all the constraints 
established up to that moment by means of tell actions. These actions allow 
for communication. Synchronisation is achieved via an ask guard which tests 
whether the store entails a given constraint. The probabilistic choice construct 
allows for a random selection of one of the different possible synchronisations 
making the program similar to a random waZfc-like stochastic process. Parts of 
the store can be made local by means of a hiding operator corresponding to a 
logical existential quantifier. 

The operational semantics of PCCP is formally defined in terms of a proba- 
bilistic transition system, (Conf, — >p), where Conf is the set of configurations 
(A, d) representing the state of the system at a certain moment and the transi- 
tion relation — >p is defined in Table 2. The state of the system is described by 
the agent A which has still to be executed, and the common store d. The index p 
in the transition relation indicates the probability of the transition to take place. 
In order to describe all possible stages of the evolution of agents, in Table 2 we 
use an extended syntax by introducing an agent stop which represents successful 
termination, and an agent which represents the evolution of an agent of the 
form 3xB where d is the local information on x produced during this evolution. 
The agent 3xB can then be seen as the particular case where the local store is 
empty, that is d = true. In the following we will identify all agents of the form 
llr=i Qi ■ stop and d^stop with the agent stop as they all indicate a successful 
termination. 

The rules of Table 2 are closely related to the ones for nondeterministic CCP, 
and we refer to [dDP95] for a detailed description. The rules for probabilistic 
choice and prioritised parallelism involve a normalisation process needed to re- 
distribute the probabilities among those agents Ai which can actually be chosen 
for execution. Such agents must be enabled (i.e. the corresponding guards ask(ci) 
succeed) or active (i.e. able to make a transition). This means that we have to 
re-define the probability distribution so that only enabled/ active agents have 
non-zero probabilities and the sum of these probabilities is one. The probability 
after normalisation is denoted by pj. For example, in rule R2 the normalised 
transition probability can be defined for all enabled agents by 



Pi = 



Pi 

Ehc, Pj ’ 



where the sum X)i-c Pi is over all enabled agents. When there are no enabled 
agents normalisation is not necessary. We treat a zero probability in the same 
way as a non-entailed guard, i.e. agents with zero probability are not enabled; 
this guarantees that normalisation never involves a division by a zero value. 
Analogous considerations apply to the normalisation of active agents in R3. 
It might be interesting to note that there are alternative ways to deal with 
the situation where X)i-Cj Pi = ^ enabled agents have probability zero). In 
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[DWOO] normalisation is defined in this case as the assignment of a uniform 
distribution on the enabled agents; such a normalisation procedure allows, for 
example, to introduce a quasi-sequential composition. 

The meaning of rule R4 is intuitively explained by saying that the agent 3^ A 
behaves “almost” like A, with the difference that the variable x which is possibly 
present in A must be considered local, and that the information present in d has 
to be taken into account. Thus, if the store which is visible at the external level 
is c, then the store which is visible internally by A is dU (3a,c). Now, if A is able 
to make a step, thus reducing itself to A' and transforming the local store into d', 
what we see from the external point of view is that the agent is transformed into 
3^ A', and that the information 3^d present in the global store is transformed 
into 3xd' ■ 

The semantics of a procedure call p{x), modelled by Rule R5, consists in the 
execution of the agent A defining p{x) with a parameter passing mechanism sim- 
ilar to call-by-reference: the formal parameter x is linked to the actual parameter 
y in such a way that y inherits the constraints established on x and vice-versa. 
This is realised in a way to avoid clashes between the formal parameter and 
occurrences of y in the agent via the operator Ay defined by: 



A^yA 



Bi^^AAx^y 

A if X = y. 



Table 2. The Transition System for PCCP 




Observables. We will consider a notion of observables which captures the prob- 
abilistic input/output behaviour of a PCCP agent. We will define the observables 
0{A, d) of an agent A in store d as a probability distribution on constraints. For- 
mally, this is defined as an element in the real vector space: 



V(C) = \^XcC 



Xc € 



c G c| , 



that is the free vector space obtained as the set of all formal linear combina- 
tions of elements in C. The coefficients Xc represent the probability associated 
to constraints c. 
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Operationally, a distribution 0{A, d) corresponds to the set of all pairs (c,p), 
where c is the result of a computation of A starting in store d and p is the 
probability of computing that result. For the purpose of this paper we will restrict 
to agents which only exhibit computations whose length is bounded. Note that 
since our programs are finitely branching this implies by Kbnig’s lemma that the 
vector space of constraints is finite-dimensional. 

We formally define the set of results for an agent A as follows. 

Definition 1. Let A he a PCCP agent. A eomputational path tt for A in store 
d is defined by 

Cq) ^ (^1 ; ^l) ^P 2 * ■ * ^Pn ^n) 5 

where Aq = A, cq = d, A„ = stop and n < oo. 

We denote by Comp(A, d) the set of all computational paths for A in store d. 

Definition 2. Let tt G Comp(A,(i) be a computational path for A in store d, 

7T = (A, d) — (Aq, Cq) (Al, Cl) y p2 . . . ^Pn (An? Cyi) . 

We define the result o/tt as res(7r) = c„ and its probability as prob{Tr) = n"=i Pi- 

Because of the probabilistic choice, there might be different computational 
paths for a given PCCP program which lead to the same result. The probability 
associated to a given result c is then the sum of all probabilities prob{-K) asso- 
ciated to all paths tt such that res(7r) = c. This suggests that we introduce the 
following equivalence relation on Comp(A). 

Definition 3. Let tt, tt' G Comp(A) he two computational paths for A in store 
d. We define tt « tt' iff res^ir) = res^n'). The equivalence class of tt is denoted 
by [tt]. 

The definitions of res(7r) and prob{Tr) are extended to Comp(A)/_ in the 
obvious way by res([7r]) = res(7r) and prob{[7r]) = X^ 7 r'e[ 7 i-] P’i’ob^Tr'). 

We can now define the probabilistic input/output observables of a given agent 
A in store d as the set 

0{A,d) = {{res{[7T]),prob{[TT]))\[Tr] G Comp(A)/^} . 

In the following we will adopt the convention that whenever the initial store 
is omitted then it is intended to be true. 

Example 1. [CHM02] Consider an ATM (Automatic Teller Machine) accepting 
only a single PIN number n out of m possible PINs, e.g. m = 10000: 

ATMn s [] j^]^^^^„ask(PINf) — >■ I : te\\{alarm) 

O ask(PINn) — >■ I : tell{cash) 
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{p : ATM„ II q ■ Ci, true) 



(p : ATM„ II q-.Cn, true) 



i 



{p : ATMn II q : stop, PINi) 



{p : ATM„ 



1 



t 

q : stop, PIN„) 



i 

(p : stop II q : stop, alarm U PINi) 



r 

(p : stop II q : stop, cash U PINi) 



Fig. 1. Execution of a program simulating the interaction with an ATM 



This agent simulates an ATM which recognises PINn: if PINn has been told 
the machine dispenses cash, otherwise — for any incorrect PINz — it sounds an 
alarm. 

Consider now the following agent representing the client whose PIN is i: 

Ci = a.sk{true) — >■ 1 : tell(PINz). 

The computational paths for the parallel composition Mi = p : ATMn || 
q : Ci are given in Figure 1 respectively for the case in which i = n and 
i ^ n. When run in the initial store true, agent ATMn is not active (no con- 
straints PINj, 1 < j < m is entailed by the store); thus Ci is scheduled with 
probability 1 (obtained by q after normalisation). The resulting configuration 
is {p : ATMn || q : stop, PINi). Now the only active agent is ATMn which is 
then executed with (normalised) probability 1 leading to the final configuration 
(stop, cash) in the case where the PIN number is correct (right hand side deriva- 
tion in Figure I) and (stop, alarm) in the case where the PIN number is wrong 
(left hand side derivation in Figure 1). 

The observables are then 0{Mi) = {(PIN^ U alarm, 1)} for i ^ n, 0{Mi) = 
{(PIN„ U cash, 1)} for i = n. 



2.3 Probabilistic Noninterference and Identity Confinement 

The original idea of noninterference as stated in [GM82] can be expressed in the 
PCCP formalism via the notion of identity confinement. Roughly, this notion 
establishes whether it is possible to identify which process is running in a given 
program. Therefore, given a set of agents and a set of potential intruders, the 
latter cannot see what the former set is doing, or more precisely, no spy is able 
to find out which of the agents in the first group is actually being executed. 
This formulation is the natural translation in the context of PCCP of the notion 
of confinement typically expressed in imperative languages via the values of 
variables [SSOO]. 

The following example illustrates the notion of identity confinement as com- 
pared to the imperative formulation. It also shows the difference between non- 
deterministic and probabilistic (identity) confinement. 
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Example 2. In an imperative language, confinement — as formulated for ex- 
ample in [SS99,SS00] — usually refers to a standard two-level security model 
consisting of high and low level variables. One then considers the (value of the) 
high variable h as confined if the value of the low level variable I is not “in- 
fluenced” by the value of the high variable, i.e. if the observed values of I are 
independent of h. 

The following statement illustrates the difference between nondeterministic 
and probabilistic confinement: 

h := hmod 2; {I := h i\\i (Z := 0 i[| i I := 1)) 

The value of I clearly depends “somehow” on h. However, if we resolve the choice 
nondeterministically it is impossible to say anything about the value of h by 
observing the possible values of 1. Concretely, we get the following dependencies 
between h and possible values of 1: 

— For h mod 2 = 0: {/ = 0, Z = 1} 

— For h mod 2 = 1: {Z = 1, Z = 0}, 

i.e. the possible values of Z are the same independently from the fact that h is 
even or odd. In other words, h is nondeterministically confined. 

In a probabilistic setting the observed values for Z and their probabilities 
allow us to distinguish cases where h is even from those where h is odd. We have 
the following situation: 

— For h mod 2 = 0: {(Z = 0, |) , (Z = 1, j)} 

- For Zi mod 2 = 1: {(Z = 0, |) , (Z = 1, |)} 

Therefore, the probabilities to get Z = 0 and Z = 1 reveal if h 
h is probabilistically not confined. 

Example 3. We can re-formulate the situation above in our 
by considering the following agents: 

hOn = ask(Zrrte) — >■ - : tell(on) |] ask(Zrae) — >■ - : 

hOff = ask(ZrMe) — >■ - : tell(off) Q ask(Zrae) — >■ - 

Rand = ask(Zrrte) — >■ - : tell(on) [| ask(Zrrte) — >■ - : 

The constraint system consists of four elements: 

C = {true, on, off , false = on U off} , 

where true C on C false and true □ off C false. 

The constraints on and off represent the situations in which the low variable 
Z = 1 or Z = 0 respectively. The agent hOn corresponds then to the behaviour 



is even or odd, i.e. 

declarative setting 

Rand 
: Rand 
tell(of f ) 
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of the imperative program fragment in case that h mod 2 = 1, while hOff 
corresponds to the case where h mod 2 = 0. The auxiliary agent Rand corre- 
sponds to the second choice in the above imperative fragment. The imperative 
notion of confinement now translate in our framework into a problem of identity 
confinement: getting information about h in the previous setting is equivalent 
to discriminating between hOn and hOff, i.e. revealing their identity. The two 
agents will be identity confined if they are observationally equivalent in any 
context. 

As explained in Section 2.2, the observables of a PCCP agent correspond 
to a distribution on the constraint system, that is a vector in the space V(C). 
Thus, the difference between two observables corresponds to the vector difference 
between the given observables and can be measured by means of a norm. We 
adopt here the supremum norm || • ||oo formally defined as 

||(a;*)*G/||oo = sup |a;i|, 
iei 

where represents a probability distribution. However, as long as we are 

interested in defining the identity of two vectors, any p-norm: ||(xi)ig/||p = 
be appropriate. 

Probabilistic identity confinement is then defined as follows [DHWOl]: 

Definition 4. Two agents A and B are probabilistically identity confined iff 
their observables are identical in any context, that is for all agent S, 

0{p-.A\\q-.S) = 0{p-.B\\q: S) 



or equivalently, 



0{p-.A\\q-.S)-0{p-.B\\q-. S) 



= 0 , 



for all scheduling probabilities p and q = 1 — p. 

Example f. It is easy to check that any context can distinguish between the 
agents hOn and hOf f of Example 3. In fact, even if executed on their own their 
observables are different (cf. Figure 2): 



C>(hOn, true) — O(h0ff.true) 



3 

4 






1 



3 

off, 4 



Therefore hOn and hOff are not probabilistically identity confined. 
Example 5. Consider the following two PCCP agents [DHWOl]: 

A = i : tell(c) II i : tell(d) 



B = tell(c U d). 
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(hOn, irne) (hOffjirrte) 




(stop, on) (stop, off) (stop, off) (stop, on) 



Fig. 2. Transitions for hOn and hOff 



(I : tell(c) II I : tell{d) , true) 




(stop, c U d) 



Fig. 3. Independent Executions of A and B 

It is easy to see that in their nondeterministic versions A and B executed in 
any context give the same observables. A and B are thus nondeterministically 
identity confined. 

Treating the choice probabilistically still gives us the same observables for 
A and B if they are executed on their own (cf. Figure 3), but they are not 
probabilistically confined. A context which reveals the identity of A and B is for 
example the agent: 

C = ask(c) —1 - : tell(e) 0 ask((i) — >■ - : tell(/), 

3 3 

as the executions of A and B in this context give different observables (cf. Fig- 
ure 4 and Figure 5): 

o(i:.4||l:c) = {(cU<iUe,T),^„UdU/,A)} 
o(i:B|l ):c) = {(cUdUe.?),(cUdU/,0}, 
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(stop, c U d U e) (stop, c U d U /) 

Fig. 4. Executions of A in Context C 



(I : B II I : C,true) 

1 

T 



(C, c U d) 




(stop, c U d U e) (stop, c U d U /) 

Fig. 5. Executions of B in Context C 



We observe that if we restrict to a particular class of contexts, namely those 
of the form: 

D = ask((/) — >■ 1 : tell(/i), 

then A and B are probabilistically identity confined with respect to these agents: 
for any choice of the scheduling probabilities p and q = 1 — p, we obtain the same 
observables for the parallel compositions of D with A and B respectively. 

If neither c nor d entails g then D will never be executed, and the executions 
of p : A II q ■. D and p \ B || q ■. D are essentially the same as for A and B alone 
(cf. Figure 3). 

If only d entails g we obtain the derivations in Figure 6. The case where g 
is entailed by c alone is analogous. In all cases we end up with a single result 
cLi dU h with probability one. 
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(p : A II q : _D, true) 




{p : tell(d) II q : D,c) {p : tell(c) || q : D,d) 




{p : B \\ q : D, true) 
1 

{D, cU d) 

1 

(stop, cU dU h) 



(stop, cU dU h) 



Fig. 6. Executions in Context D when d entails g 



The derivations oi p \ A \\ q ■. D and p \ B \\ q ■. D in the case that both c 
and d entail g are depicted in Figure 7: again we obtain the same result cLidUh 
with probability one. 

In general, identical behaviour in all contexts is hardly ever achievable. It 
therefore makes sense to ask for identical observables if A and B are executed 
in parallel with agents with only limited capabilities. Moreover, the power of a 
context can be evaluated in terms of its ability to distinguish the behaviours 
of two agents. It is also reasonable to think that its effectiveness will depend 
on the probabilities of the scheduling in the interleaving with the given agents. 
This leads to the definition of a weaker (and yet more practical) notion of prob- 
abilistic identity confinement which is parametric in the type of context S and 
the scheduling probability p. We will introduce such a notion, which we call 
approximate identity confinement, in the next section. 

2.4 Approximate Identity Confinement 

In Section I we argued that it is practically more useful to base noninterference 
properties on some similarity notions instead of equivalence once. 

The confinement notion discussed above is exact in the sense that it refers to 
the equivalence of the agents’ behaviour. In this section, we introduce a technique 
which allows us to relax confinement to an approximate and yet more effective 
notion. 

The intuitive idea behind such a notion is that we look at how much the 
behaviours of two agents differ, instead of qualitatively asserting whether they 
are identical or not. In particular, in the probabilistic case we can measure the 
distance e between the distributions representing the agents’ observables instead 
of checking whether this difference is 0. We can then say that the agents are e- 
confined for some £ > 0. 
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{p ■. A\\ q\ D, true) 




(p : tell(d) \\ q : D, c) (p : tell(c) \\ q : D, d) 




(tell(d), c U /i) (_D,cUd) (tell(c), d U h) 




(stop, cU dUh) 



{p \ B \\ q \ D, true) 

1 

T 

{D, c U d) 

1 



t 

(stop, c U d U ft) 



Fig. 7. Executions in Context D when both c and d entail g 



We illustrate this idea by means of the ATM example introduced in Sec- 
tion 2.2. 

Example 6. Consider the program in Example 1 which simulates an ATM (Au- 
tomatic Teller Machine) accepting only a single PIN number n out of m possible 
PINs, e.g. m = 10000: 

ATMn = [|i=i^i^„ask(PINi) — >• 1 : te\\{alarm) 

[| ask(PINn) — >■ 1 : tell(casft) 



The following agent simulates a spy which tries a random PIN number i: 

S = [Ij^^ask(irMe) — I : tell(PINf) 

If we consider two such machines ATMni and ATMri 2 for ni yf ri 2 and 
execute them in context S we obtain two slightly different observables, namely: 

O {p : ATMni II 9 ^ S') = |^PINni U cash, — 



m ^ 

^ u { 



( PINz U alarm, — 
\ m 



and 



O (p : ATMu 2 II g : S') = < ( PINn 2 U cash, — 



m ^ 

^ u { 



/ PINz U alarm^ — 
\ m 



Clearly, 0{p : ATMm || g : S) and 0{p : ATMn 2 || g : S) are different. 
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For most PINs both machines will sound an alarm in most cases, but if we are 
lucky, the spy will use the correct PINs in which case we are able to distinguish 
the two machines (besides earning some cash). The chances for this happening 
are small but are captured essentially if we look at the difference between the 
observables: 



0{p : ATMni |U : S') - 0{p : ATMnz \\ q ■ S) 



1 

m 



The set {ATMn},^ is e-confined with respect to S with £ = ^ but not strictly 
confined. In the practical applications, m is usually very large, that is e is very 
small, which makes it reasonable to assume the ATM’s agents as secure although 
not exactly confined. 

The notion of approximate identity confinement we will define in the follow- 
ing is based on the idea of measuring how much the behaviour of two agents 
differs if we put them in a certain context. We will refer to such a context as 
spy or attacker. This restriction makes sense as no system is secure against an 
omnipotent attacker [LMMS98] and its security depends on the quality of the 
possible attacker. We will discuss in the following different kinds of such attack- 
ers. 

As an example, consider the class of attackers expressed in PCCP by: 



Sn = {D'Liask(ci) -)> p, : tell(/i)} , 



where fi € C are fresh constraints, that is constraints which never appear in the 
execution of the host agents, and a £ C. These agents are passive and memo- 
ryless attackers. They do not change the behaviour of the hosts, and are only 
allowed to interact with the store in one step. Nevertheless, they are sufficient 
for formalising quite powerful attacks such as the timing attacks in [Koc95] . 

A generalisation of this class is to consider active spies (e.g. Example 7 and 
Example 1) and/or spies with memory such as ask(c) — >■ p : ask((i) — >■ q : tell(/). 



Example 1. Consider the two agents: 



A = ask(c) — >■ 1 : tell((i) 
B = stop. 



If executed in store true, A and B are obviously confined with respect to any 
passive spy. They both do nothing, and it is therefore impossible to distinguish 
them by just observing. However, for an active spy like S = tell(c) it is easy to 
determine if it is being executed in parallel with A or B. Note that if executed in 
any store d such that d\~ c, the two agents A and B are always distinguishable 
because their observables are different. 

The notion of approximate confinement which we introduce in the following is 
a generalisation of the identity confinement introduced in [DHWOl] and defined 
in Section 2.3. The definition we give is parametric with respect to a set of 
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admissible spies S and scheduling probabilities p and q = 1—p. We say that two 
agents A and B are approximately confined with respect to a set of spies S iff 
there exists an £ > 0 such that for all S' G 5 the distance between the observables 
of p : A II g : S and p : B \\ q : S is smaller than £. We consider as a measure 
for this distance the supremum norm || • ||oo as in Definition 4. In this case, the 
choice of this norm is particularly appropriate because it allows us to identify a 
single constraint c for which the associated probabilities are max;imally different. 
In the following we will usually omit the index oo. 

Definition 5. Given a set of admissible spies S, we call two agents A and B 
s-confined for some £ > 0 iff: 



sup 

ses 



0{p-.A\\q-.S)-0{p-.B\\q: S) 



= e. 



This definition can be generalised to a set of more than two agents. 

The number e associated to a given class of spies S can be seen as a measure 
of the “power” of 5. In fact, it is strongly related to the number of tests a spy 
needs to perform in order to reveal the identity of the host agents. We will make 
this argument more precise in the next section. Note that this number depends 
on the scheduling probability. This is because the effectiveness of a spy can only 
be evaluated depending on the internal design of the host system which is in 
general not known to the spy. For example, in [DHW03b] we have presented an 
analysis which shows that the “best” spy of the class S 2 defined above is one 
with a choice distribution where p\ is very close to 0 and p 2 is very close to 1, 
or vice versa. 

Obviously, if two agents A and B are £-confined with e{p) = 0 for all schedul- 
ing probability p then they are probabilistically identity confined. 



2.5 Statistical Interpretation 

The notion of approximate confinement is strongly related to statistical concepts, 
in particular to so-called hypothesis testing (see e.g. [Sha99]). 

Identification by Testing. Let us consider the following situation. We have 
two agents A and B which are attacked by a spy S. Furthermore, we assume 
that A and B are £-confined with respect to S. This means that the observables 
0{p : A II (7 : S') and 0{p : i? || g : S) are e-similar. In particular, as the 
observables do not include infinite results, we can identify some constraint c G C 
such that \pa{c) ~ Pb{c)\ = where pa{c) is the probability of the result c in 
an execution of p : A \\ q : S and Pb{c) is the probability that c is a result of 
p-.B\\q-.S. 

Following the standard interpretation of probabilities as “long-run” relative 
frequencies, we can thus expect that the number of times we get c as result of an 
execution ofp : A \\ q : S and p : B \\ q : S will differ “on the long run” by exactly 
a factor £. That means if we execute p : A \\ q : S or p : B \\ q : S “infinitely” 
often we can determine pa{c) and pb{c) as the limit of the frequencies with 
which we obtain c as result. 
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In fact, for any unknown agent X we can attempt do determine px(c) ex- 
perimentally by executing p : X \\ q : S over and over again. Assuming that X 
is actually the same as either A or i? we know that the px{c) we obtain must 
be either pa{c) or Pb{c). We thus can easily determine this way if A = A or 
X = B, i.e. reveal the identity of X (if e 0), simply by testing. 

Unfortunately — as J.M. Keynes pointed out — we are all dead on the long 
run. The above described experimental setup is therefore only of theoretical 
value. For practical purposes we need a way to distinguish A and B by finite 
executions of p : A \\ q : S and p : B \\ q : S . If we execute p : A \\ q : S and 
p : B \\ q : S only a finite number of — say n — times, we can observe a certain 
experimental frequency p\{c) and p^{c) for getting c as a result. Each time we 
repeat this finite sequence of n executions we may get different values for (c) 
and Pb{c) (only the infinite experiments will eventually converge to the same 
constant values pa{c) and pb{c)). 

Analogously, we can determine the frequency p^ (c) for an unknown agent X 
by testing, i.e. by looking at n executions of p : X \\ q : S. We can then try to 
compare Px(c) with p\{c) and p^{c) or with pa{c) and pb{c) in order to find 
out if A = A or A = B. Unfortunately, there is neither a single value for either 
p\{c), 75 ( 4 ( 0 ) or p%{c) (each experiment may give us different values) nor can we 
test if p^(c) = p^{c) or p^{c) = p^{c) nor if p^{c) = pa(c) or p^(c) = Pb{c). 

For example, it is possible that c is (coincidentally) not the result of the first 
execution of p : X \\ q : S, although the (long-run) probabilities of obtaining c 
by executing p : A \\ q : S or p : B \\ q : S are, let’s say, pA = 0.1 and pb = 0.5. 
If we stop our experiment after n = 1 executions we get Px{c) = 0. We know 
that A = A or A = B but the observed Px{c) is different from both pA and pb- 

Nevertheless, we could argue that it is more likely that A = A as the observed 
Px(c) = 0 is closer to pA = 0.1 than to pb = 0.5. The problem is now to 
determine, on the basis of such experiments, how much the identification of 
A with A is “more correct” than identifying A with B on the basis of such 
experiments. 

For finite experiments we can only make a guess about the true identity of A, 
but never definitely reveal its identity. The confidence we can have in our guess 
or hypothesis about the identity of an unknown agent A — i.e. the probability 
that we make a correct guess — depends obviously on two factors: the number 
of tests n and the difference £ between the observables of p : A || q : S and 
p:B\\q:S. 

Hypothesis Testing. The problem is to determine experimentally if the un- 
known agent A is one of two known agents A and B. The only way we can 
obtain information about A is by executing it in parallel with a spy S. In this 
way we can get an experimental estimate for the observables of p : A || g : S'. 
We then can compare this estimate with the observables of p : A || g : S and 
p:B||g:S. 

That means: based on the outcome of some finite experiments (involving an 
unknown agent A) we formulate a hypothesis H about the identity of A, namely 
either that “A is A” or that “A is B” . Our hypothesis about the identity of A 
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will be formulated according to a simple rule: depending if the experimental 
estimate for the observables of p : X \\ q : S are closer to 0(p : A || g : S') or to 
0{p : B \\ q : S) we will identify X with A or B respectively. 

More precisely, the method to formulate the hypothesis H about the identity 
of the unknown process X consists of the two following steps: 



1. We execute p \ X \\ q \ S exactly n times in order to obtain an experimental 
approximation, i.e. average, for its observables 



On(p : X II g : S) 




# of times c is the result 
n 




2. Depending if On{p : AT || g : S) is closer to the observables On{p : A || g : S) 
or On{p : B II g : S) we formulate the hypothesis 



X = A if 



H : 



< 



X = B otherwise. 



0„(p ■.X\\q:S)-0{p:A\\q:S) 
On{p ■.X\\q-.S)-0{p-.B\\q-.S) 



The question is now whether the guess expressed by the hypothesis H about 
the true identity of the black box X, which we formulate according to the above 
procedure, is correct; or more precisely: what is the probability that the hypoth- 
esis H holds? To do this we have to distinguish two cases or scenarios: 

X is actually A: What is the probability (in this case) that we formulate the 
correct hypothesis H : X is A and what is the probability that we formulate 
the incorrect hypothesis H : X is B7 

X is actually B: What is the probability (in this case) that we formulate the 
correct hypothesis H : X is B and what is the probability that we formulate 
the incorrect hypothesis H : X is A? 



Clearly, in each case the probability to formulate a correct hypothesis and 
the probability to formulate an incorrect hypothesis add up to one. Furthermore, 
it is obvious that both scenarios “X is actually A” and “X is actually B” are 
symmetric. We will therefore investigate only one particular problem. Suppose 
that X is actually agent A, what is the probability that — according to the above 
procedure — we formulate the — in this case — correct hypothesis H : X is A. 

In the following we use the notation px (c) and Px (c) to denote the probability 
assigned to c G C in the distribution representing the observables 0{p : X \\ q : S) 
and in the experimental average On{p : Ai || g : S') respectively. Furthermore, we 
look at a simplified situation where we are considering only a single constraint c 
where the difference between pa{c) and pb{c) is maximal. Let us assume without 
loss of generality that pa{c) < Pb{c) as in the diagram below: 



Pa(c) pb{c) 

I ^ I 



0 £ 1 


1 1 

1 


1 F □ 






' J 


“a: is A” 


‘a: is 
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If the experimental value Px(c) = p\{c) we obtained in our test is anywhere 
to the left of p^(c) + e/2 then the hypothesis H we formulate (based on p\{c)) 
will be the correct one: “X is A”; if the experimental value is to the right of 
Pa (c) + e/2 we will formulate the incorrect hypothesis: “AT is B”. 

Under the assumption that “AT is actually A” the probability P(-ff) that we 
will formulate the correct hypothesis “AT is A” is therefore: 

P (pa(c) < Pa{c) + I) = 1 - P {pa{c) + I < p1(c)) . 

To estimate P(-ff) we have just to estimate the probability P{px{c) < pa{c) + 
e/2), i.e. that the experimental value p\{c) will be left of pa{c) + e/2. 

Confidence Estimation. The confidence we can have in the hypothesis H 
we formulate is true can be determined by various statistical methods. These 
methods allow us to estimate the probability that an experimental average 
— in our case p\{c) — is within a certain distance from the corresponding 
expectation value E(AT) — here pa{c) — i.e. the probability 

P(|X„-E(X)| <£) 



for some £ > 0. These statistical methods are essentially all based on the central 
limit theorem^ e.g. [Bil86,GS97,Sha99]. 

The type of tests we consider here to formulate a hypothesis about the iden- 
tity of the unknown agent X are described in statistical terms by so called 
Bernoulli Trials which are parametric with respect to two probabilities p and 
q = 1 — p (which have nothing to do with the scheduling probabilities above). 
The central limit theorem for this type of tests [GS97, Thm 9.2] gives us an 
estimate for the probability that the experimental value Sn = n ■ Al„ after n 
repetitions of the test will be in a certain interval [a, b]: 



where 



lim P(a < 5'n < &) 

n— >-oo 





a 



* 



a — np 
y/rvM 



and b* 



h — np 
y/rvM ’ 



Unfortunately, the integral of the so called standard normal density on the 
right hand side of the above expression is not easy to obtain. In practical situa- 
tions one has to resort to numerical methods or statistical tables, but it allows 
us — at least in principle — to say something about P{H). 

Identifying Sn with n-p\ we can utilise the above expression to estimate the 
probability P(pa(c) -I- e/2 < p^) which determines P{H). In order to do this we 
have to take: 

a = pA{c) + - 
b = oo 
P = Pa{c) 
q = 1 -Pa(c). 



This allows us — in principle — to compute the probability: 
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P {pa{c) + I < Pa(c) < oo) . 

Approximating — as it is common in statistics — P(p^(c) + e/2 < p\) by 
limP(p^(c) +e/2 < p/{) we get: 

P(iJ) = 1 - P (pa{c) + I < pl(c)) 

« 1 - lim P (pa{c) + ^ < Pa(c)) 

n— >-oo \ Z / 

with 

ne 1 Sy/n Sy/n 

2 ./Fm 2^ 2^p^(c)(1-pa(c))’ 

We see that the only way to increase the probability P{H), i.e. the confidence 
that we formulate the right hypothesis about the identity of X, is by minimising 
the integral. In order to do this we have to increase the lower bound Uq of 
the integral. This can be achieved — as one would expect — by increasing the 
number n of experiments. 

We can also see that for a smaller e we have to perform more tests n to reach 
the same level of confidence, P{H)\ The smaller n the harder it is to distinguish 
A and B experimentally. Note that for e = 0, the probability of correctly guessing 
which of the agents A and B is in the black box is which is the best blind 
guess we can make anyway. In other words: for £ = 0 we cannot distinguish 
between A and B. 



Example 8. Consider the agents in Example 5. The problem is to determine from 
the experimentally obtained approximation of the observables On{\'X || ^-C) 
for X = A or X = B the true identity of X. If, for example, X is actually agent 
A and if we concentrate on the constraint c U d U e we have 

£ = — and p = pa(c U d U e) = — 

12 ^ ^ 12 

The probability P(id) to formulate the correct hypothesis H depends on the 
lower bound oq of the above integral, i.e. the normal distribution N{ao,oo): 



P{H) = 1 - 





1 — N{ao, oo). 



The bound oq in turn depends on the number n of experiments we perform. The 
value of Oo for 9 tests is: 



ao(9) = 




1 12 
8^35 



« 0.25355 

yiio 



while for 144 tests we get: 
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ao(144) 




1 12 
2 



6 



1.0142 



In other words, if we repeat the execution of ^ : X || ^ ■ C exactly 9 times, 
the probability of formulating a correct hypothesis H about the identity of X is 
about (using a normal distribution table, e.g. [GS97, p499]): 



V{H) = 1 - 





0.5987, 



but if we perform 144 test our confidence level will rise to 



V{H) = 1 - 





0.8413. 



For 9 tests the hypothesis formulated will be right with an about 60% chance, 
while for 144 tests it will be correct with about 85%. 



3 Process Algebra Formulation of Noninterference 

3.1 Probabilistic Process Algebra 

Process algebras are specification languages (see, e.g., [BW90,BPS01]) that de- 
scribe the behaviour of concurrent systems through actions, which in our setting 
are syntactically divided into output actions and input actions, and through 
algebraic operators, which in our setting are enriched with probabilistic infor- 
mation (see, e.g., [BBS95]). Here we consider a slight variant of the probabilistic 
process algebra introduced in [BA03] (a core algebra of the reacher calculus 
EMPAgj. [BBOO]). The algebraic model of a system communicates with the en- 
vironment through its inputs and outputs and performs internal computations 
through special, unobservable actions, termed r actions. Formally, we denote 
with AType the set of visible action types, ranged over by a, b, . . .. For each 
visible action type a, we distinguish the output action a and the input action a*. 
The complete set of actions, termed Act and ranged over by tt, tt', . . ., contains 
the input actions and the output actions with type in AType and the action t. 
The set C of process terms, ranged over by P, Q ,. . ., is generated by the syntax: 

P::=0\7T.P\P+PP\P\\PP\P\L\P/P\A 

where S,L C AType, a G AType, and p G]0, 1[. 0 expresses the null, deadlocked 
term^, and ., +^, ||g, \L, and /(( denote the prefix, alternative, parallel, restric- 
tion, and hiding operators, respectively. Constants A are used to specify recursive 
systems. In particular, we assume a set of constants defining equations of the 
form A = P to be given. In the rest of the paper, we restrict ourselves to the set 
Q of finite state, closed, guarded terms of C, which we call processes [Mil89]. 



^ We omit 0 when it is clear from the context. 
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Now, we informally describe the algebraic operators and the probabilistic 
model through an example. The reader interested in details and proofs should 
refer to [ABG03]. 

Example 9. Consider the following abstraction of the Automatic Teller Machine 
interacting with a client (cf. Example 1 in Section 2.2): 

Client llg ATM . 

The communication interface between processes Client and ATM, defined by 
set S = {insert-pin, cash, fail}, says that the two processes (i) interact by syn- 
chronously executing actions of type in S, and (ii) asynchronously and inde- 
pendently execute each other local action. Probability p is the parameter of 
a probabilistic scheduler that, in each system state, decides which of the two 
processes must be scheduled, i.e. Client with probability p and ATM with prob- 
ability 1 — p. 

Now, let us detail each component in isolation. Process Client repeatedly 
tries to insert a pin until the right number allows it to withdraw the cash: 

Client = insert -pin. Client' +‘^ t. Client. 

The alternative choice operator says that process Client can either insert 

a pin (output action insert-pin) with probability q, and afterwards behaving as 
process Client' , or stay idle (action t) with probability 1 — (?, and afterwards 
behaving as the same process Client. The actions insert -pin and r follow the 
generative model of probabilities [GSS95], which is the same model adopted 
by PGGP (cf. Section 2). In essence, the process autonomously decides, on the 
basis of a probability distribution (guided by parameter q), which action will be 
executed and how to behave after such an event. 

Client' = cas/i*.0-|-* f ail Client. 

Process Client' waits for the answer provided by the environment, i.e., it can 
either withdraw cash in case the pin number is right (input action cashC), and 
afterwards stopping its execution (see the null term 0), or receive an unsuccessful 
message (input action /ail*), and afterwards behaving as process Client again. 
In practice, process Client' internally reacts to the choice of the action type, 
cash or fail, performed by the environment (i.e., the machine). Formally, the 
input actions /ail* and casht. follow the reactive model of probabilities [GSS95]. 
In particular, if the machine decides to communicate the action of type fail, then 
the client performs with probability 1 the unique input action of that type, which 
leads to process Client. Similarly, if the machine outputs the action of type cash, 
then the client chooses the input action cash^. and then stops its execution. As a 
consequence of such a behaviour, parameter q' is not considered or, equivalently, 
from the viewpoint of process Client' in isolation, the choice between such actions 
is purely nondeterministic, because their execution is entirely guided by the 
external environment. 
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Process ATM , instead, is ready to accept new incoming pins or it stays idle: 
ATM = {insert-pin^.fail.ATM +’’ ins ert-pin^. cash. ATM) +’’ t.ATM . 

The two actions insert-pin.^ model the internal reaction of process ATM to 
the choice of the action type insert-pin performed by its environment (i.e., the 
client). Such a reaction is guided by a probability distribution associated with 
the input actions of type insert-pin that process ATM can perform. More pre- 
cisely, whenever the action type insert-pin is chosen by the client, process ATM 
reacts by choosing either the first action insert-pin.^ with probability r and 
then refusing the pin (output action fail), or the second action insert-pin^, with 
probability 1 — r and then delivering cash (output action cash). Alternatively, 
if process ATM is not accepting pins from the environment, the internal action 
r is repeatedly executed to model the idle periods of the machine. The choice 
between the input actions insert jpin^^ and such an internal event is nondeter- 
ministic (parameter r' is not considered), because the execution of an action 
insert-pin.,^ is entirely guided by the external environment. 

According to the considerations above, the processes interact in the composed 
system as follows. In the initial state of our example, the system executes a move 
of process Client with probability p: it executes either the internal move r with 
probability p- (1 — q), or the synchronising move insert -pin with probability p- q 
(with probability p • q ■ r it executes an insert -pin action synchronised with the 
first input action of process ATM and with probability p-q-{l — r) an insert-pin 
action synchronised with the second input action of process ATM). Note that 
the result of a synchronisation between an output action insert-pin and an input 
action insert-pin.,, is again an output action of type insert-pin (similarly as in 
eSP [Hoa85]). On the other hand, the system may schedule with probability 
t — p process ATM by executing its internal action r, which gets the entire 
probability 1 — p associated to process ATM. Afterwards, if, e.g., the winning 
action is the action insert-pin leading to term Client' jjg cash. ATM , then the 
system executes the synchronising action cash with probability 1, because it is 
the unique action that can be performed by the composed system. In particular, 
note that action /azZ* of process Client' is blocked, because the environment of 
process Client', represented by process cash. ATM , is not available to output a 
corresponding output action fail. In Figure 8 we report the labeled transition 
systems that are associated with processes Client and ATM in isolation and 
with the composed system. 

The example above emphasises some features of the probabilistic process 
algebra that we now describe in more detail. 

As far as the CSP-like communication policy is concerned, in any binary 
synchronisation at most one output action can be involved and, in such a case, 
the result is an output action of the same type. Instead, in case two input actions 
of type a synchronise, then the result is again an input action of type a. We recall 
that the actions belonging to the communication interface are constrained to 
synchronise, while all the other actions are locally and independently executed 
by the processes that compose the system. 
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Client ATM Client ||^ ATM 




Fig. 8. Labeled transition systems associated to different process terms. Transitions 
are labeled with an action and a probability, which is equal to 1 if omitted 



As far as the probability model is concerned, we have seen that output and 
internal actions follow the generative model, while input actions follow the reac- 
tive model. Probabilistic choices among output/internal actions or among input 
actions of the same type are fully probabilistic, while in each other case the 
choice is purely nondeterministic. This is because input actions are underspeci- 
fied, in the sense that their execution is guided by the environment behaviour. 
Hence, the parameters that probabilistically guide the choices come into play if 
and only if a probabilistic choice is really to be performed. Moreover, Example 9 
has emphasised the following behaviors of the parallel operator: 

~ In case the execution of some output actions of P is prevented in P\\^gQ 
(P\L), the probabilities of executing the remaining output/internal actions 
of P are proportionally redistributed (similarly for Q). That is a stan- 
dard approach when restricting actions in the generative model of proba- 
bilities [GSS95], as also seen in case of PCCP (cf. Section 2). 

— In case of synchronising output actions a of P in P ||g Q, their probability 
is distributed among the multiple actions a obtained by synchronising with 
input actions a* executable by Q, according to the probability the actions 
a* are chosen in Q. 

As a consequence of the policies specified above, we point out that in each 
system state of a process term, the sum of the probabilities of output and internal 
actions (input actions of a given type a), if there are any, is always equal to 1. 

Now, we informally describe the behaviour of the hiding operator, which is 
needed to specify security properties. The hiding operator P/^ turns output and 
input actions of type a into actions r, by changing the probabilities according 
to the following rules. 

— As far as output/internal actions executable by P/^ are concerned, we dis- 
tinguish the following cases: 

1. If P enables both some output/internal actions and some input actions 
a*, then P/p chooses an action t (obtained by hiding an action a* of 
P) with probability p and an output/internal action previously enabled 
in P with probability 1 — p. Such a rule guarantees that the hiding 
operator does not introduce nondeterminism among actions that follow 
the generative model of probability. 
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2. If either P does not enable output/internal actions, or P does not enable 
input actions o*, then in P/^ parameter p is not considered. 

— As far as input actions are concerned, P/^ enables the same input actions 
(with the same probability distribution) of type b ^ a enabled in P. 

Example 10. Consider process P = 0 *+”^ (6+^c), where the choice among a* and 
the output actions is purely nondeterministic (parameter q' is not considered). 
The semantics of P/^, which corresponds to process r+^(&+'*c), is a probabilistic 
choice between r, executed with probability p, and the actions b and c, executed 
with probability {l—p)-q and (1 — p) • (1 — q), respectively. Hence, parameter p 
expresses the probability that the action t obtained by hiding the input action 
a, of P is executed with respect to the output actions previously enabled by P. 

A goal of the hiding operator consists of turning open systems (i.e., systems 
enabling reactive choices due to input actions) into fully specified systems (i.e., 
fully generative systems, which do not include nondeterministic behaviours). In 
particular, the hiding operator resolves all the nondeterministic choices due to 
possible interactions with the environment by turning them into probabilistic 
choices. Intuitively, the effect of hiding an input action o* corresponds to the 
execution of a synchronisation between a* and an output action a offered by 
the environment. Such an interaction gives rise to an internal action r whose 
probability distribution depends on parameter p of the hiding operator. When 
analysing security properties that employ the hiding operator, we will show that 
the low-level behaviour of a secure system does not depend on the choice of 
parameter p. 

In the rest of the paper we use the following abbreviations. We assume pa- 
rameter p to be equal to ^ whenever it is omitted from any probabilistic operator. 
Moreover, when it is clear from the context, we use the abbreviation P/S, with 
S = {oi, . . . , a„} C AType, to denote the expression P/ai ■ ■ ■ /a„ • 

3.2 Operational Semantics and Equivalence 

In this section, we provide a brief formal presentation of the semantics of the 
calculus. The reader not interested in such details can skip the rest of the section 
and proceed with the description of the security model. 

The operational semantics of the probabilistic process algebra is given by 
the labeled transition system {Q,Act,T), whose states are process terms and 
the transition relation T is the least multiset satisfying the operational rules 
reported in Table 3 and in Table 4. For a formal presentation of the semantics 
rules, the reader should refer to [BA03,ABG03], while here we just discuss some 
general aspects. 

As far as the notation is concerned, we denote with RAct and GAct the sets 
of input actions, termed reactive actions, and of output and internal actions, 

7T 

termed generative actions, respectively. Then, we use the abbreviations P > 

7T, p 

to stand for 3p,P' : P 



P' , denoting that P can execute action tt with 
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probability p and then behave as P', and P >■ , with G C GAct, to stand for 

a 

3a G G : P , meaning that P can execute a generative action belonging to 

set G. 

As far as the rules for P+pQ and P\\^Q are concerned, note that in addition 
to the reported rules, which refer to the local moves of the left-hand process P, 
we also consider the symmetric rules taking into account the local moves of the 
right-hand process Q. Such symmetric rules are obtained by exchanging the roles 
of terms P and Q in the premises and by replacing p with 1 — p in the label 
of the derived transitions. Moreover, we also point out that for both operators, 
parameter p comes into play if and only if a probabilistic choice between P and Q 
is really to be performed. For instance, in case of the alternative choice operator, 
if P enables at least a generative action and Q does not, then P+p Q performs a 
generative transition of P with probability 1. Otherwise, if both P and Q enable 
some generative actions, then P+pQ performs a generative transition of P with 
probability p. 

Two important remarks are in order in case of the parallel operator. On the 
one hand, if both P and Q can execute some synchronising actions a* in P ||g Q, 
then the composed system can execute some actions a,: the probability of each 
action a» executable by P ||g Q is the product of the probabilities of the two 
actions a* (one of P and one of Q) that are involved in the synchronisation. 
On the other hand, as also explained in the previous section, when considering 
P llg Q we must pay attention to the computation of the probability distribution 
of its generative actions, whose overall probability must sum up to 1. To this aim, 
in semantics rules we employ the function vp{Gs,q) ■ P{AType U {r}) — >-]0, 1], 
which computes the sum of the probabilities of the generative transitions of 

P (executable by P Q) whose type belongs to set Gs,q C AType U { t }. In 

a* 

particular, set Gs,q = {a G AType U {r} \ a^Sy {a gS/\Q )} contains 

the action types not belonging to the synchronisation set S and the action types 
belonging to S for which an input action of Q can be performed. Hence, vp{Gs,o) 
computes the aggregate probability of the generative transitions of P that can 
be executed by P\\^Q and can be used to normalise the probabilities of the 
generative transitions of P. 

Finally, note that the tables omit the rules for the restriction operator. This 
is because it can be easily derived from the parallel operator. Indeed, we have 
that P\L corresponds to process P ||^0. 

Since the security model we are going to present is based on the semantics of 
processes (i.e., the security check considers the program behaviour), we need an 
equivalence relation allowing for a comparison among the observable behaviours 
of different systems. To this aim, we resort to a probabilistic variant of the 
weak bisimulation [BH97], which abstracts away from r actions and is able to 
identify deadlock. More precisely, such a relation, termed «pb, is a probabilistic 
extension of the nondeterministic weak bisimulation («b) of [Mil89]. In essence, 
«PB replaces the classical weak transitions of «b by the probability of reaching 
classes of equivalent states. The notion of weak probabilistic bisimulation is based 
on the following definitions (for more details, see [ABG03]). We use a function 
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Table 3. Operational semantics (part I) 




Prob such that Prob{P,a:t,C) denotes the aggregate probability of going from 
P to a term in the class (of equivalent terms) C by executing an action a*. 
Moreover, Prob{P,T*a,C) expresses the aggregate probability of going from P 
to a term in the equivalence class C via sequences of the form r*a (if a yf r) or 
r* (if a = t). Formally: 

Prob{P, T*a, C) = 

(I if a = rAPGC 

< Pi"ob{P,T,Q) ■ Prob{Q,T*,C) if a = t AP ^ C 

[ Pf'ob{P, T, Q) ■ Prob{Q, r*a, C) + Prob{P, a, C) if a yf r. 

Definition 6. An equivalence relation R C Q x Q is a weak probabilistic bisim- 
ulation if and only if, whenever {P, Q) G R, then for all C G Q f R: 

— Prob{P,T* a,C) = Prob{Q,T*a,C) Vo G GAct 

— Prob{P,at,,C) = Prob{Q,a^,C) Vo* G RAct. 
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Table 4. Operational semantics (part II) 




Two terms P,QgQ are weakly probabilistically bisimulation equivalent, 
denoted P «pb Q, if there exists a weak probabilistic bisimulation R containing 
the pair {P, Q). 

Note that such a definition requires two equivalent terms to be strongly 
equivalent in case of reactive actions and weakly equivalent in case of generative 
actions. This is because r is a generative action, therefore the computation of 
the probability of executing a mixed trace of generative/reactive actions (like, 
e.g., T*a») does not actually make sense. 

Example 11. Consider the processes P = a +5 6 and Q = t.Q +3 (a +5 b), 
which, from an external observer viewpoint, behave the same since they execute 
either an output action a or an output action b with equal probabilities. We now 
want to formally verify such an intuition, i.e. we show that P and Q are weakly 
probabilistically bisimulation equivalent. Let R be the relation that considers 
the classes {C, [0]}, where C = {P,Q} and [0] = {0}. The only interesting case 
is given by Pro&(P, r*7r, [0]) = where tt G {a, 6}. In order to compute the 
probability Prob{Q,T*Tr, [0]) we must consider that Q can execute an arbitrary 
number of times the action r before reaching state 0 via an action a (b). To this 
aim, we redistribute the probability ^ associated with the outgoing internal tran- 
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sition of Q among the other outgoing transitions of Q. Formally, by applying the 
definition of function Prob, we obtain Prob{Q, r*a, [0]) = ^-Prob{Q, r*a, [0]) + |, 
from which we derive Prob{Q,r*a, [0]) = | (similarly for b). Hence, i? is a weak 
probabilistic bisimulation and P «pb Q- 

3.3 Probabilistic Noninterference 

Probabilistic noninterference extends the classical, possibilistic definition of non- 
interference by providing the means for: 

1. capturing those covert channels that are not observable in a purely nonde- 
terministic setting, and 

2. measuring the information leakage in terms of probability of observing the 
related covert channel. 

In this section, we show how to formalise probabilistic noninterference in 
our process algebraic framework, while in the next one we extend the same 
approach in order to deal with the problem of giving a quantitative estimation 
of the information leakage. 

As usual in security models, in our process algebraic framework we distin- 
guish among high-level visible actions and low-level visible actions by defining 
two disjoint sets ATypen of high-level types and AType^ of low-level types, which 
form a covering of AType, such that the output action a and the input action 
a, are high- (low-) level actions if a G ATypen {a G ATypei). Usually, we use 
/, I', . . . to denote low-level types and h, h', . . . to denote high-level types. Then, 
in such a setting, we provide a semantics-based approach to noninterference, i.e., 
an approach where different program behaviours are compared to analyse a se- 
curity property. Roughly, we derive two models from the algebraic specification 
of the system at hand, and then check the semantic equivalence between such 
derived models. On the one hand, the definition of semantic equivalence between 
processes is based on the weak probabilistic bisimulation equivalence «pb. On 
the other hand, the choice of the sub-models to be compared depends on the def- 
inition of the security property. Here, we consider the noninterference property 
of [Ald01,ABG03], which in turn is the probabilistic version of the Strong Nonde- 
terministic Noninterference property proposed in [FG95] to express the classical 
noninterference idea of [GM82] . In essence, in order to detect potential high-level 
interferences, we compare the low-level behaviours of the system model P that 
can be observed in two different scenarios differing in the high-level behaviours 
only. In the former scenario, P is isolated from the high-level environment, so 
that all its high-level interactions are prevented, while in the latter scenario, P 
interacts with any high-level user that enables all the high-level actions of P. 

The definition of Probabilistic Noninterference, here termed PNI, is as fol- 
lows. For the sake of conciseness, we denote with hf , . . . ,h^ the sequence (in 
alphabetic order) of high-level types that syntactically occur in the action prefix 
operators within P. 

Definition 7. P G PNI P\ATypeH ~pb P/^^p • ■ • /^p Vpi, . . . ,p„ G]0, 1[. 
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Such a formulation also defines the particular class of adversaries (high-level 
users) with respect to which the probabilistic noninterference property is param- 
eterised. Formally, according to the PNI definition, we can argue as follows. 

On the one hand, P\ATypeH expresses the low-level view of the system in 
isolation (without high-level interactions with the environment), since all the 
high-level actions are prevented. 

On the other hand, P/^p ■ ■ ■ Vpi , . . . ,Pn G]0, 1[, where all the high-level 
actions are hidden, expresses the low-level view of P in case all the high-level in- 
teractions with the environment are enabled. In this formula, the hiding operator 
models the behaviour of any high-level user H that allows all the high-level ac- 
tions enabled by P to be executed. More precisely, H allows the high-level output 
actions of P (turned into internal t actions) to be executed with the probability 
distribution chosen by P itself. On the other hand, P[ allows the high-level input 
actions of P (turned into internal r actions) to be executed with a probability 
distribution chosen by H itself according to parameters p\, ... ,pn- 

The class of attackers considered by the PNI property, here called Apni, 
contains active and memory less high-level users. More precisely, they are active 
as they can affect the probabilistic behaviour of the system activities, and they 
are memoryless as they cannot alter their behaviour depending on the previous 
history. In particular, as stated by the hiding operators, the probability distri- 
butions for the high-level inputs are chosen a priori and do not change during 
the system execution. 

Example 12. Consider a program that writes a low-level variable in two possible 
ways, only one being legal, and represented by the following system: 

P = T . {copy secret -PIN -|-000i copy -random -value) +p 
high . {copy secret -PIN copy -random -value). 

If the high-level user interacts with the system (such a communication is mod- 
eled by the execution of the high-level action high) , then the program assigns to 
the public variable either a confidential value (low-level action copy secret -PIN) 
with probability 0.5 or a random value (low-level action copy -random -value) 
with equal probability 0.5. On the other hand, if the high-level user does not 
interfere, then the program performs an internal activity that leads to the execu- 
tion of the illegal assignment with a negligible probability. The choice between 
the interaction with the high-level user and the internal action is left to the 
system, which performs it according to parameter p. 

A nondeterministic approach to noninterference^ does not reveal any covert 
channel. This is because independently of the high-level behaviour, the low- 
level view of the system is always the same. However, if an external observer 
considers the outcomes of repeated executions of the system, then the rela- 
tive frequency of such outcomes reveals the high-level interference. Formally, 
we have that P\ATypcH and P/ ATypep are not weakly probabilistically bisim- 
ulation equivalent. For instance, we have that P\ATypcH performs the action 

^ [Ald02,ABG03] rephrase the approach of [FG95] in a nondeterministic simplification 
of our process algebra, thus obtaining the same security property taxonomy. 
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copy secret -PIN (preceded by an invisible transition) with probability 0.001, 
while P/ ATypen executes the same observable action (preceded by an invisible 
transition) with probability p- 0.001 + (1 — p) • 0.5. Therefore, the PNI property 
is more than enough to capture the probabilistic covert channel described above. 



3.4 Approximate Noninterference 

In this section, we show how the knowledge about the probabilistic behaviour of 
a system may help the modeler to give a quantitative estimation of each informa- 
tion leakage, thus overcoming the qualitative view according to which a system 
is or is not secure. More precisely, given a covert channel that is responsible for 
an illegal information flow (which, e.g., could be revealed also in the possibilistic 
setting) , we can evaluate the effectiveness of such a covert channel, by measuring 
the probability for an external observer of detecting it. 

From a practical standpoint, a quantitative (probabilistic) approach to infor- 
mation flow analysis is useful for the verification of the security level of systems 
for which probabilities play an important role. For instance, many problems 
can be solved by using deterministic algorithms that turn out to be secure and 
require exponential time. On the other hand, probabilistic algorithms are of- 
ten implemented that solve the same problems in polynomial time (see, e.g., 
[CKV00,MR99]). In such a case, the price to pay for a computational gain is the 
possibility for the observer of detecting an illegal information flow. Because of 
such a possibility, a probabilistic algorithm cannot be secure in case we limit the 
information flow analysis to the nondeterministic case. Instead, if we resort to 
a probabilistic approach, we can formally prove that the same algorithm has an 
illegal information flow, which, however, occurs with probability close to 0 (see, 
e.g., [AG02]). Based on these considerations, we need a quantitative approach 
in order to estimate the difference between the non-secure system and a secure 
one. 

In our process algebraic setting, we may try to analyse the labeled transition 
system underlying an algebraic specification, in order to compute the probability 
that an information flow (from high level to low level) really happens. Unfortu- 
nately, a solution to such a problem cannot be provided if the verification of the 
security properties depends on a behavioural equivalence relation like the weak 
probabilistic bisimulation considered in the previous sections. This is because 
any equivalence relation states whether or not two given transition systems be- 
have exactly the same. From a security standpoint, such an approach simply 
provides a binary answer: the system suffers or does not suffer an information 
leakage. Hence, small fluctuations in the system behaviour cannot be tolerated. 
Instead, we need a relaxed relation, which cannot be an equivalence relation, 
allowing for similar processes to be related, where the term similar stands for 
“behave almost the same up to small fluctuations” . 

On the basis of the considerations above, we now introduce a quantitative 
notion of behavioural similarity for deciding if two probabilistic processes are 
confined or, more precisely, for measuring the distance between probabilistic 
transition systems. 
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Formally, we now introduce the definition of weak probabilistic bisimulation 
with e-precision, which is a relaxed version of the weak probabilistic bisimulation 
~PB presented in Section 3.2. 

Definition 8. A relation R Q Q x Q is a weak probabilistic bisimulation with 
e-precision, where e s]0 ,l[, if and only if, whenever {P,Q) € R, then for all 
C€GIR: 

— I Prob{P, T*a, C) — Prob{Q, r*a, C) \ < e Va S GAct 

— \ Problp,a^,C) — Prob{Q,a,t,C) \ < e Va* € RAct. 

We use the abbreviation P ~pBe Q to denote that there exists a weak proba- 
bilistic bisimulation with e-precision R containing the pair (P,Q); alternatively, 
we say that P (Q) is a e-perturbation of Q (P). Note that f^pBe is not a tran- 
sitive relation and, therefore, it cannot be an equivalence relation. 

Example 13. Let us consider the fully specified transition systems depicted in 
Figure 9, which enable generative transitions only. It is easy to see that they 
cannot be weakly probabilistically bisimulation equivalent according to the def- 
inition of ~PB- Indeed, we have that S2 and S4 belong to the same equivalence 
class, while sq, si, and S3 are in three separate classes, since they have different 
probabilities of reaching the class [0] of the null term by executing the sequence 
T*a (T*b). However, we can observe that the observable behaviours of such sys- 
tems are almost the same up to a perturbation e. More formally, if we tolerate 
a distance at most equal to e, we can define a relation that is a weak probabilis- 
tic bisimulation with £-precision as follows. First, we immediately obtain that si 
and S2 (54) are similar, i.e. they belong to the same class C. For the same reason, 
we have that sq is in C, since Prob{so, r*a, [0]) = ^■{^ + £) + \ 5 + (sim- 
ilarly, for b we obtain | ^ • e). Finally, S3 is in C too, since Prob{s^, r*a, [0]) = 

e-|-|-(l — s) = 5 + and Prob{s^, [0 ]) = | ■ (1 — £) = \ — Therefore, 
we have obtained a weak probabilistic bisimulation with s-precision including 
the pair (sq, S3), i.e. the two transition systems are a £-perturbation of the same 
system. 




Fig. 9. Example of weak probabilistic bisimulation with e-precision 
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3.5 Approximating PNI 

The similarity relation can be used to approximate the noninterference property 
by simply replacing the equivalence relation in its formulation with such a sim- 
ilarity relation. In essence, instead of qualitatively asserting whether or not two 
sub-models of the system are equivalent, we just look at how much they differ. 
Since the sub-models to be compared express the low-level behaviour in case 
the system is isolated from the high environment and the low-level behaviour in 
case the system interacts with high users, respectively, an approximated nonin- 
terference property quantitatively states the capacity of a low-level observer of 
guessing the high environment behaviour by observing the system execution. 

In our setting, the definition of process similarity is not parametric with re- 
spect to a specific set of adversaries (admissible spies, as termed in Section 2.4). 
Instead, the given security property is parameterised by a particular class of 
adversaries. Hence, security strictly depends on the definition of the property. 
In particular, here we show what happens when approximating the PNI prop- 
erty, which, as we have seen, is parameterised with respect to a particular class 
■A.PNI of adversaries. In particular, if we replace in the definition of PNI the 
weak probabilistic bisimulation with the weak probabilistic bisimulation with 
£-precision, we obtain a relaxed property that states if the behaviour of P in 
isolation is close (according to the distance e) to that observed when P interacts 
with anyone of the high-level users in Apni- 

Example 14- Consider the system of Figure 10: 

P=h.l'.0+P T.(b0-k« h.l.O) 

where it can be observed that: 

— the left-hand component, which is chosen with probability p, is clearly non- 
secure, since the execution of the action V reveals to the low-level observer 
that the action h occurred; 

— the right-hand component, which is chosen with probability 1 — p, is secure, 
since independently of the (probabilistic) high behaviour a low-level observer 
always sees the action I with probability 1. 

We point out that the probabilistic information is not necessary to capture a 
covert channel in P, which is easily revealed as a “1-bit covert channel” by the 
nondeterministic counterpart of the PNI property [ABG03]. In other words, the 
probabilistic information described in P is not responsible for the information 
leakage. In spite of this, such an information turns out to be useful to analyse 
the security level of P. Indeed, the observation of the frequency of the possible 
outcomes of repeated executions of the system reveals that the behaviour of P 
is secure with probability 1 — p and discloses an unwanted information flow with 
probability p. In practice, after a certain number, let us say n, of experiments 
during which the high-level user interacts with P, it turns out that the mean 
number of I' that have occurred is n ■ p, while the mean number of I that have 
occurred is n • (1 — p). Instead, after n experiments during which the high-level 
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i 

Fig. 10. Example of probabilistic information flow 

user does not interact with P, it turns out that the number of I that have 
occurred is n. Obviously, by observing the relative frequencies “on the long run” 
of the observable results, we have that P\ATypeH and P/ ATypen will differ by 
exactly a factor p. That means if an external observer executes the system (under 
one of the two scenarios) “infinitely often” , then it can determine whether or 
not the high-level user was interfering. However, in a realistic scenario, after a 
finite number n of experiments and in case p is a value very close to 0, it is 
very hard for an external observer to understand whether or not the system was 
interacting with the high-level user. In such a case, the covert channel occurs 
with a negligible probability and P may be considered as a good approximation 
of a secure system. 

The standard interpretation of probabilities as relative frequencies also helps 
to give an estimation of the covert channel capacity. Indeed, if we assume, e.g., 
that the system above is executed n times per week, then we can conclude that 
such a system suffers an information leakage equal to n ■ p bits per week, since 
that is (on average) the number of experiments that reveals the high-level user 
behaviour. 

Now, we formally show how the weak probabilistic bisimulation with e- 
precision is able to determine the security level of P. According to the PNI 
definition, we have P\ATypeH ^pb P/ ATypep- However, P\ATypep[ is a p- 
perturbation of P/ ATypep, since P\ATypep p^pb t.1.0 p^pb t.(/.0 -b® t.1.0) 
~PBp T.l'.t)+P T.{1.0+'^ T.1.0) fVpB P/ATypep. Therefore, the system can be 
considered secure enough as p tends to the value 0. Note that, according to the 
definition of weak probabilistic bisimulation with e-precision, if p is less than the 
threshold e, then the subsystem P' reached from P/ATypep by executing the 
hidden high-level action h is simply disregarded, since it expresses a behaviour 
of the system reachable with a negligible probability. Therefore P' is not to be 
related with any corresponding behaviour of the system P\ATypep . 

Example 15. As another example, consider the following probabilistic process: 

P^ {l.O+Pl.l'.O) P^^l.h.l'.O. 

It is easy to see that P is not PNI secure. Formally, let us denote by Ci 
the equivalence class of the null term 0 and by C 2 the equivalence class of 
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term I'.O. On the one hand, we have Prob{P\ATypeH = q- p+1 — 
q and Prob{P\ATypeH , t*1,C2) = q • {1 — p). On the other hand, we have 
Prob{P/ATypeH,T*l,Ci) = q ■ p and Prob{P / ATypeu = 1 — q ■ p. 
Therefore, \Prob{P\ATypeHTT*l,Ci) — Prob{P/ ATypeH,r*l,Ci)\ = 1 — q = 
\Prob{P\ATypeH,T*l,C 2 ) — Prob{P / ATypeu from which we derive 
that (z) process P does not satisfy the PNI property, and (zz) P\ATypeH ~PBe 
P/ATypcH if <Z > 1 — Intuitively, if q is close to 1, then the low view of P, 
with or without the interaction with the high-level user, changes according to 
a small £- fluctuation. While on the long run such a difference can be precisely 
identified, for a finite number of experiments P\ATypeH and P/ ATypep turn 
out to behave almost the same. That means if we observe the low-level outcome 
of repeated executions of the system we are not able to notice the behaviour of 
the high-level user, since the high interference changes the frequency associated 
with each possible low-level outcome according to small, negligible fluctuations. 

3.6 Statistical Interpretation 

In a realistic scenario, an external observer makes a guess about the high environ- 
ment behaviour after a certain number of tests (system executions) . That means 
we need a formal way to measure the difference (by a finite number of experi- 
ments) between the low view of P in isolation, modeled by process P\AType}j, 
and the low view of P interacting with any high user in Apni, expressed by 
process P/^p . . . /)(p for any sequence of probabilities pi,...,p„ G]0, 1[. The 
capability of the observer of revealing the difference between such processes ex- 
presses a measure of the effectiveness of the covert channel from high level to 
low level. 

As an expected result, we can rephrase in our setting the same approach 
described in Section 2.5 to evaluate the confidence we can have in our hypothesis 
about the identity of a process after a finite number of experiments. We omit 
the technical part concerning the statistical methods behind such an approach 
(see Section 2.5) and we directly proceed with some clarifying examples. 

Example 16. Consider the system: 

P = ht.{l.0+i I'.O) + {1.0+^ I'.ff) such that 
P\ATypeH ^pb (?.0-|-n ;'.Q) and 

P/I ^PB T.{l.0+i I'.O) +P {1.0+^ I'.O). 

According to the low view of the system in isolation, expressed by term 
P\ATypeH, a low-level observer sees the action I with probability ^ and the 
action I' with probability ^ . On the other hand, if P interacts with a high-level 
user that synchronises with the reactive action /z* with probability p, then the 
low view of the system changes. In particular, a low-level observer sees the action 
I with probability ^ + ^ ‘ P and the action I' with probability ^ ~ ^ ‘ P- That 
means for p g] 0, 1[ the probability of observing the action I varies in the range 
] ^ , I [ and the probability of observing the action I' is in the range ] | , ^ [• As 
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a consequence, it turns out that is a —perturbation of P\ATypeH for 
all p g] 0, 1[. Formally, it is easy to verify that P\ATypeH ~pb±- for all 
pG]0,l[. 

An external low-level observer tries to distinguish the case in which P is 
isolated from the high environment from the case in which P interacts with 
a high-level user. To this purpose, he observes the relative frequencies of the 
low-level outcomes that derive from repeated executions of the system. After 
a number n of experiments, he formulates a hypothesis about the scenario in 
which P has been executed. The confidence he can have in such a hypothesis 
can be determined as reported in Section 2.5. In particular, we know that an 
upper bound for the distance between processes P\ATypeH and P/^ is e = 

If we consider the scenario in which P is isolated from the high environment and 
we concentrate on the low-level outcome I (whose probability is equal to -P), we 
obtain the same results shown in Example 8. More precisely, if we assume n = 9, 
we have that the hypothesis formulated by the low-level observer will be right 
with an about 60% chance, while for n = 144 it will be correct with about 85%. 



Example 1 1. Now, let us consider again the same process P of Example 15. We 
want to estimate the confidence an external observer can have in a hypothesis 
about the high environment behaviour after a finite number n of experiments. To 
this purpose, let us assume p = 0.5 and q = 0.99. Such a scenario expresses the 
fact that the two possible behaviours (i.e. the single output I and the sequence 
l.l') are chosen by the system with equal probabilities except for a small fluctua- 
tion due to scarce interferences by the high-level user. Formally, in P\ATypeH the 
probability of observing the sequence l.l' is equal to 0.495, while in P/ATypen 
such a probability is equal to 0.505. Symmetrically, we can compute the prob- 
ability of observing a single I, which is equal to 0.505 for P\ATypeH and equal 
to 0.495 for P / ATypeu ■ According to what we have shown in Example 15, the 
distance between such processes is £ = 0.01. Now, we assume that the high- 
level user is interacting with the system and we concentrate on the sequence of 
events l.l' . The probability P for an external low-level observer to identify the 
correct high environment behaviour depends on the number n of experiments. 
In particular, for n = 10 we have (cf. Section 2.5): 



ao(lO) 



10 - 0.01 1 

2 VlO • 0.505 • 0.495 



0.03 



P = l- f exp 0.512 

Jo. 03 \ 2 y 

Hence, for 10 tests the hypothesis that the observer formulates will be right 
with about 51%. Note that the probability of the best blind guess the observer 
can make is exactly 50%. We also emphasise that if we want such a probability 
to reach about 90%, then the external observer should execute about 16640 
experiments. 
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3.7 The ATM Example 

We present a simple but real example showing the need for a quantitative es- 
timation of illegal information flows. In particular, we consider an Automatic 
Teller Machine (ATM), which gives cash if and only if the client inserts the 
unique, correct PIN number i (of m possible PINs) within a fixed number, say 
n, of attempts, after which the ATM retires the card: 

ATMk = insPIN i^.cash.ATM I + j/i insPIN fail. ATM k+i 0 < k < n 

ATMn = insPIN i^.cash.ATM I + j^i insPIN retire. ATM i 

An attacker that is in possession of the card (but not of the PIN) may try to 
illegally withdraw cash: 

Spy = insPIN i.Spy' {insPIN 2 .Spy' . . .) 

Spy' = casht..spend.Q + fail Spy + retire flee. 0 

We can assume that cash is the unique low-level action, since it expresses the 
tangible proof that a dishonest spy withdrew cash, while all the other events are 
considered to be high-level actions. If we take the composed system 

ATMSyS = ATM I \\[,ash,ret^reJa^l,^nsPIN,,i=l,...,m} ^PV 

and check the nondeterministic counterpart of PNI [ABG03] , we observe that the 
system is clearly non-secure. Indeed, if we hide the high-level actions, expressing 
the fact that the attacker interacts with the machine, then the action cash is 
observable. On the contrary, if we purge the system of the high-level actions, 
modeling the lack of any interaction between the machine and the attacker, 
then the action cash is not executable. Obviously, a purely nondeterministic 
approach captures the fact that an illegal behaviour can be observed in case the 
spy guesses the right PIN. In a realistic scenario, such an event is possible but 
negligible. For instance, assume that for any attempt the spy randomly samples a 
PIN value according to a uniform distribution, and take two realistic parameters, 
i.e. m = 100000 and n = 3. Then, denoted C the equivalence class of the null 
term, we have that Prob{ATMSys/ ATypen , t* cash,C) « 0.00003. Formally, if 
we employ the weak probabilistic bisimulation with £-precision (e = 0.00003), 
then the system turns out to satisfy the approximated PNI property. This is 
because the probability of observing the illegal cash leakage is considered to be 
negligible. 

4 Related Work and Conclusion 

In this paper, we surveyed two techniques for approximating noninterference 
properties, thus enriching the intuition behind the definition of probabilistic 
noninterference, which appeared in the literature to overcome the limitations 
of classical possibilistic approaches to information flow analysis. Initially, a for- 
mulation of probabilistic covert channel was proposed in [McL90,Gra90], and 
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later on in [Gra92] and in [GS92,SG95]. More recently, in [SSOO] the same intu- 
ition has been rephrased in the setting of an imperative language with dynamic 
thread creation, where, as a novelty, a probabilistic notion of bisimulation is 
used to formalise a security condition. In [SmiOl], a type system is presented 
that aims to ensure secure information flow in a simple multi threaded imper- 
ative programming language running under a uniform probabilistic scheduler. 
The same author also employs a definition of weak probabilistic bisimulation 
(inspired by [BH97]) in [Smi03]. 

In the first approach presented in this paper we have concentrated on a 
notion of observable behaviour for programs in the PGGP language, which cor- 
responds to the probabilistic input/output observables. These can be described 
by probability distributions on the underlying space of constraints, and we used 
a vector norm to measure their similarity. By considering the observables of two 
processes executed in the context of a spy we were then able to measure their 
confinement. Different analyses can be constructed depending on the type of at- 
tacks we consider. For example, in [DHW03b,DHW02b] a control-flow analysis 
for the confinement property is presented which refers to internal attacks. This 
is the case where the attacker is part of the observed system and is therefore 
subject to the same scheduler as the host system. In another context one might 
be interested in external attacks, where the attacker is only allowed to observe 
the system from the outside and is thus scheduled in a different way, or one 
might impose other restrictions on the way a spy may observe the agents in 
question. In [DHW02a], an analysis is presented for the case of external attacks, 
which exploits information about the average store of an agent in some specified 
number of steps (the observation time). 

In the second approach we described, the notion of observable behaviour 
for processes is formalised in the process algebraic calculus of [BA03], whose 
semantics is given in terms of a probabilistic version of the weak bisimulation 
equivalence [BH97]. In this setting, we have shown that the robustness of a 
system against a specified class of attackers (as defined by the probabilistic non- 
interference property) can be checked by following the same approach introduced 
in [FG95] in a purely nondeterministic framework. Along this line, in [ABG03] 
a complete taxonomy of probabilistic security properties is described. The ex- 
pressiveness of the probabilistic process algebra and of the particular model of 
probability we adopted allow us to model and analyse real, complex systems. For 
example, in [AG02], a case study shows the adequacy of such an approach for 
analysing the security level (under any probabilistic adversary) of a probabilistic 
cryptographic protocol [MR99] implemented to achieve a fairness property. 

In the literature, several papers propose a formal definition of approximated 
bisimilarity. For example, in [vBW01,DGJP99] different pseudometrics are in- 
troduced that quantify the similarity of the behavior of probabilistic transition 
systems that are not bisimilar. In particular, in [DGJP99] the authors consider a 
metric on partial labeled Markov chains, which are a generalization of the fully 
specified transition systems described in Sect. 3, in that for each state the sum 
of the probabilities of the outgoing transitions, if there are any, is less than (or 




40 



Alessandro Aldini et al. 



equal to) 1, while in our case such a sum always sums up to 1. Moreover, they 
extend the same approach to the weak bisimulation case in [DGJP02]. With re- 
spect to the notion of approximated weak probabilistic bisimulation the 

approximated equality introduced in [DGJP02] is compositional. On the other 
hand, ~pBe allows systems that can have largely different possible behaviours 
to be related under the condition that such behaviours are observable with a 
negligible probability. Another approach to the approximation of bisimilarity 
has been recently proposed in [DHW03c,DHW03a], which extends the approach 
presented in this paper to probabilistic transition systems and is based on the 
definition of bisimulation via a linear operator and the use of an operator norm 
for measuring noninterference. 
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Abstract. Key Establishment is one of the most intriguing, fascinating 
and deeply studied problems in Cryptography. In this paper we propose a 
brief excursus among ideas and techniques that during the last years have 
been applied in a variety of settings, in order to design suitable and often 
mathematically delightful protocols to solve this issue. The presentation 
uses a very simple language: it is basically an introduction to the subject. 
Hopefully, it is even self-contained. Formal proofs and details are omitted, 
but the interested reader can find them in the referred papers. 

1 Introduction 

Cryptography is currently spreadly used to protect digital communication and 
information processing. All the applications belonging to the so-called electronic 
commerce area and many information services offered by public or private orga- 
nizations, are possible by the shrewd and refined use of cryptographic techniques. 
Roughly speaking, we could say that there is a visible digital world that most 
people experience every day, for example by using their personal computers at 
home for surfing the Internet, for accessing their bank accounts, or for buying 
goods from digital portals, which is built upon an underlying hidden world that 
exists to ensure that “everything goes fine” in the visible one. This hidden world 
is the world of Cryptography, an important aspect of which is the subject of 
these pages. 

Around twenty years ago, people started foreseeing the large spectrum of 
possibilities for Cryptography^: indeed, the diffusion of public communication 
networks provides a very powerful media to exchange data, in order to solve 
common problems. Unfortunately, as long as users need to communicate to per- 
form joint operations, several reasons can drive some of them to misbehaviors 
and unpredictable actions. Just to exemplify, if the community of users runs 
a digital protocol for the election of their representatives, it is not unrealistic 
to assume that some users can try either to falsify the result of the election 
or to find out for which candidate has voted a certain user. Therefore, some 
countermeasures must be taken. 

^ The newcomers to Cryptography are strongly encouraged to read Rivest’s survey 
[106] and, for recent and futnre prospectives, Manrer’s survey [92]. 
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To get the picture, Cryptography can be described as a collection of ideas and 
techniques enabling the community of users to complete common tasks in such 
a way that misbehaviors from some of them are harmless. Basically, this goal 
is obtained by means of a knowledge- gap between users who wish to perform 
a certain task and users who, for several reasons, can decide to misbehave in 
arbitrary ways. Such gap assumes the form of secret information, referred to as 
keys^ held by some honest users but not by dishonest ones. 

The main question that comes up and we are going to investigate in the 
following pages is how can be established keys among groups of users of a network 
who wish to perform computations in a secure way. 



1.1 Alice, Bob and the Secret Place 

The first people that we meet in our excursus are Alice and Bob: every student 
who has given a look at a book on Cryptography in his life has surely met them 
at least once. The setting in which they belong to is the following: Alice and Bob 
need to privately communicate but they only share a public channel. Therefore, 
a third (bad) guy. Eve, could eavesdrop the communication. Hence, they decide 
to encrypt the messages they send to each other in order to be protected against 
Eve. Loosely speaking, an encryption scheme is a family of pairs of rules 

{{EkOi DkO)}keK 

where Ek{) enables Alice to encrypt the messages she wishes to send to Bob, 
while Dk{) enables Bob to decrypt the encrypted messages received by Alice. 
More precisely, Alice computes and sends c = Ek{m), where m is the message 
she would like Bob receives, and Bob computes m = Hfc(c) = Dk{Ek{m)), 
and vice versa. Such process works if for each possible message m it results 
m = Dk{Ek{m)) (i.e., Dk{) is the inverse rule for Ek{)). Alice and Bob choose 
the pair they want to use to protect the privacy of their communication by 
choosing a value of k G 1C, referred to as the secret key. tC is the set of all 
possible secret keys. 

For example, Alice and Bob can decide that the encryption rule consists of 
substituting every letter of the message with the one that follows in the alphabet, 
on which the message is defined, by 3 positions in cyclic order. Symmetrically, the 
decryption rule requires that every letter of the encrypted message is substituted 
by the letter 3 positions backwards in the alphabet. The secret key in this case 
is given by the number 3. Eve can even know that they encrypt and decrypt 
their communication by substituting the letters of the message with others of 
the same alphabet at a certain fixed distance, but since she does not know the 
value of this distance, she cannot decrypt any message. 

Apart the security issue of the above strategy, historically used and known 
as the Caesar’s Cipher [77], what is important in our investigation is: how do 
they fix a value for the secret key? To get started, we can say that they have a 
meeting in a secret place. It could seem trivial but it is what people have done 
for roughly two thousand years and in several settings they still do. As we will 
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see in the following, in many protocols, the so called set up phases, in which 
users get secret information, are the equivalent of the old meeting in a secret 
place. 

From an historical point of view, it is not known neither if Alice and Boh 
have lived somewhere nor if they have ever had the need to privately communi- 
cate on a public channel: but for sure, they live in the cryptographic language 
and the problem they are presumed to manage is really one of the first that 
people have tried to solve with several techniques. About Eve, her identity is 
still more doubtful: sometimes she is called Oscar, sometimes Opponent, some 
others is called simply Adversary, but she/he does seem to exist, at least to 
justify Cryptography! 



1.2 Keys in Cryptography 

As we were saying before, keys, secret pieces of information belonging to a cer- 
tain set, constitute the knowledge gap held by a group of users with respect to 
adversaries, by means of which the group can perform tasks in a secure way, like 
privately communicate. For example, the value of k that Alice and Bob choose 
in order to define a pair {Ek{), Dk{)) among the set {{Ek{), Dk{))}k&jc is the 
knowledge gap that protects them against Eve. 

To give an idea, some settings in which keys are used are: 

— Point-to-point private communications. This is the setting we have consid- 
ered before: two users, Alice and Bob, wish to privately communicate over a 
public channel. They use a secret key to encrypt and decrypt the messages 
they send to each other. 

— Multicast communications and conferencing. Many users are involved in a 
private communication. This setting generalizes in several ways the previous 
one: it embraces private group communications, as well as multicast and 
broadcast communications, where a single source sends information to a 
certain subset of recipients, which changes from time to time. 

— Entity and Data Authentication. Keys are used in protocols enabling one 
party to prove to another party his identity, i.e., the other party is convinced 
that the person that is speaking is the real one and not an adversary, or to 
guarantee the authenticity of a certain source of information. 

— Information Integrity Check. Many cryptographic primitives, designed to 
check the integrity of information transmitted over insecure channels or 
stored in unreliable/breakable memories, use secret keys. 

Moreover, keys can be classified according to their usage, life-time, and other 
features. Without going into details at the moment, keys can be: 

— Secret keys. Used by users in symmetric cryptosystems and, more generally, 
with cryptographic primitives requiring one key. 

— Public keys. Public known keys, usable by all the users of a network with a 
public key cryptosystem or a digital signature scheme. 
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— Private keys. The corresponding key of a certain public one, held and usable 
by a single user in a public key system, in order to decrypt or sign messages. 

— Session keys. Used for a short period of time. 

— Master or Long Term keys. Stored for a long time and often used to generate 
or derive session keys. 



1.3 The Power of Eve 

Cryptography concerns with design and analysis of protocols. A multi-party pro- 
tocol is a well-defined sequence of steps that each party has to perform in order 
to obtain a fixed common goal. A cryptographic protocol is a multi-party protocol 
that keeps working (i.e., maintains its functionality) even in presence of an ad- 
versary who can simply listen the conversation that takes place among the users 
or that can coordinate the actions of some parties, in order to corrupt the output 
of the protocol or to obtain from the execution information that the protocol is 
not supposed to leak. A cryptographic protocol is secure if it is designed in such 
a way that no adversary can succeed in the above attempt. On the other hand, 
if an adversary can gain some advantage by listening or controlling some parties 
in deviating from the protocol, we say that he can break the protocol. 

Just to exemplify the above concept in a concrete context, and with a certain 
degree of approximation, think about the private communication problem Alice 
and Boh have to solve: in that case, an encryption scheme (i.e., cryptographic 
protocol for private communication) is secure if, assuming that the only thing 
that Eve can do is to tap the channel, from the encrypted messages sent by 
the parties along the public channel, she cannot obtain any partial information 
about the real conversation. 

Apart the strategy that an adversary can pursue in order to break a certain 
protocol, and the amount of information he can count on, a preliminary assump- 
tion that is done in order to study the security of protocols concerns with the 
computational power of the adversary: in other words, the amount of resources 
Eve can afford in order to succeed. This assumption leads to two different worlds 
in cryptography. 

— Computationally Secure Setting. Eve is bounded. She can perform only fea- 
sible computations where, as usual in complexity theory, we refer with this 
term to procedures which require time and space upper bounded by a poly- 
nomial P{n), where n = |a:| is the size of the instance x of the problem the 
procedure solves. 

— Unconditionally Secure Setting. Eve is unbounded. She can use as much time 
and space as she needs: in this setting, even theoretical but infeasible com- 
putations are supposed to be real threats. A cryptographic protocol proved 
secure against such an adversary is usually referred to as perfectly secure 
because it is secure independently of the efforts of Eve. 

Moreover, cryptographic protocols proved secure in the computational setting 
belong to two different families: in the first case, a protocol is showed to be 
resistant to all currently known and computationally feasible attack strategies. 
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Hence, the protocol is presumed to be secure modulo the non-existence of better 
strategies. In the second case, a protocol is “proved” secure because the existence 
of feasible strategies to break the security of the scheme implies the possibility 
of constructing a feasible procedure to solve some supposed to be infeasible 
mathematical problem. For example, factoring an integer n which is the product 
of two large primes, computing the discrete log in multiplicative groups of prime 
order, or computing roots of powers, are all presumed to be infeasible tasks for 
large value of n and suitable sizes of the groups. Hence, a proof of security in this 
case consists in showing that, if an efficient procedure to break a given protocol 
exists, then there exists an efficient procedure, say, to factorise a large integer 
n, product of two large primes, which is commonly believed to be false. 

Therefore, we could say that in the first case the security is a sort of em- 
piric security: the proof is given by means of a collection of arguments showing 
how well-known attacks fail in breaking the given protocol. In the second, a 
mathematically-convincing proof relates the computational difficulty of break- 
ing the protocol to the difficulty of solving a presumed to be infeasible task. 



2 Cryptographic Primitives 

The protocols we describe in the next sections basically answer the question of 
how groups of users can establish secret keys for subsequent cryptographic uses. 
However, they require some preliminary notions and familiarity with certain 
cryptographic primitives. To this aim, we briefly recall, in a very simple way, 
some notions and definitions. For a complete treatment the reader can consult 
[94] and [120]. We start by recalling what a cryptosystem is: 

Definition 1. [120] A cryptosystem is a five-tuple (P,C, /C, f, 2?) where the fol- 
lowing conditions are satisfied: 

1. V is a finite set of possible plaintexts 

2. C is a finite set of possible ciphertexts 

3. 1C, the keyspace, is a finite set of possible keys 

4- For each K G 1C there is an encryption rule ck C S and a corresponding 
decryption rule Ok G Ft. Each ex '■ V ^ C and dx '■ C ^ V are functions 
such that dx{ex{x)) = x for every plaintext element x € V. 

In a symmetric cryptosystem the key is a single secret element K, used 
by both the encryption and the decryption rules. Vice versa, in a public key 
cryptosystem, the key K = (p, s) is a pair of elements: the first one p, the public 
key, is publicly known and can be used by everybody to encrypt messages to 
the owner of the key. On the other hand, the second one s, the private key, is 
held and used only by the owner to decrypt the messages sent to him. The main 
property of a public key cryptosystem is that the knowledge of p does not enable 
to compute (in a feasible way) s. Hence, public key cryptosystems can only be 
computationally secure. 
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Definition 2. [120] A hash family is a four-tuple {X,y,)C,'H), where the fol- 
lowing conditions are satisfied 

1. X is a set of possible messages 

2. y is a finite set of possible message digests or authentication tags 

3. 1C, the key space, is a finite set of possible keys 

4- For each K £ 1C, there is a hash function hx G "H. Each hx \ X ^ y. 



Hash functions are used to associate a message digest to a certain message 
of arbitrary size, for example a file of data. The message digest can be used 
later on to check if the file has been corrupted. Some hash functions do not 
require keys (i.e. unkeyed hash functions). The main security property that hash 
functions satisfy is that it is computationally infeasible to find two messages 
which the hash function associates to the same message digest. This property, 
called collusion resistance implies that the function is one-way. in other words, 
it cannot be inverted by means of feasible computations. 



Definition 3. [120] A signature scheme is a five-tuple {V , A,1C,S ,V) where the 
following conditions are satisfied: 

1. V is a finite set of possible messages 

2. A is a finite set of possible signatures 

3. 1C, the keyspace, is a finite set of possible keys 

4- For each K € 1C, there is a signing algorithm sigx G S and a corresponding 
verification algorithm verx G V. Each sigx '■ V ^ A and verx '■ V x A ^ 
{true, false} are functions such that the following equation is satisfied for 
every message x € V and for every signature y G A: 



ver{x, y) 



true if y = sig{x) 
false if y^ sig{x). 



A pair {x,y) with x and y € A is called a signed message. 

A signature scheme enables a user to sign messages. A signature is a short 
sequence of bits that only the owner of the message can produce. Everybody else 
can verify the authenticity of the signature on the message. 

Notice that the use of public key cryptosystems implicitly assumes that a 
certain public key really corresponds to a given user. In other words, the identity 
of each user is binded to the key. This authentication process for the public keys 
can be done by using a trusted third party TA and a signature scheme. If the 
verification algorithm of the signature scheme held by TA is universally known 
and recognized to belong to the TA, then the TA can fill in and sign a certificate 
for each public key, containing several information (i.e., public key, identity of the 
user, date of issue, expiring date ...). Then, every user can show the certificate 
to prove the authenticity of his own public key. The certificate can be verified 
by any other user of the system. 

Most of the schemes we consider are designed over finite groups. 
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Definition 4. Let G be a finite set of elements, and let * be an operator defined 
on G. The pair (G, *) is a group if 

— G is closed with respect to *, i.e., a*b € G for any a,b € G. 

— * is associative, i.e., {a * b) * c = a * {b * c). 

— 1 is the identity element, i.e., a*l = l*a = a, for any a € G. 

— Any a € G has an inverse such that a * a~^ = a~^ * a = 1. 

The order of an element g of the group G is the smallest positive integer 
m such that = 1, where g"^ denotes the application of * m times (i.e., 

9^ = 9 * 9)9^ = 9*9*9, etc...). An element g is a primitive element of the 

group G if {(/* : 0 < z < |G| — 1} = G. Denoting by Zp = {0,. . . ,p — 1}, where 
p is a large prime, the pair (Z*,-), where Z* = Zp\ {0}, and • is the usual 
multiplication modp among numbers, is a widely used group. 

3 Key Establishment 

In this section we overview methods and ideas proposed during the last years 
to solve the key establishment problem. The two main approaches to key estab- 
lishment developed in the literature are Key Distribution and Key Agreement. 
In the first case, as the words suggest, keys are given to the users towards a 
sort of distribution, often performed or helped by a trusted party. In the second, 
users are required to interact, by exchanging messages among each other, and 
to perform private computations, in order to agree on a common key. Varieties 
of protocols have been described, which can be classified according to the above 
criterion. Following the exposition given in [94], we start with some definitions. 

Definition 5. A Key Establishment Protocol provides a shared secret to two or 
more parties, for subsequent cryptographic use. 

The basic requirement that a key establishment protocol should satisfy is 
that any other party of the network should be unable to get the same key (or 
partial information about it), established by a given group. This roughly define 
a secure key establishment protocol. 

Moreover, a very nice feature is that all the parties are aware of the identities 
of the other parties that can get the same secret key. More precisely, we can state 
the following: 

Definition 6. An Authenticated Key Establishment Protocol is a Key Estab- 
lishment Protocol whereby the parties are assured of the identities of the other 
parties that may gain access to a particular secret key. 

Notice that an authenticated protocol just ensures who are the other parties 
that could get the key, but it does not ensure that they really hold the key. In 
other words, there is no confirmation that the key has really been computed by 
all the parties that are supposed to. Therefore, the authentication is a sort of 
implicit authentication. 

Definition 7. A Key Confirmation Protocol proves the real possession of a se- 
cret key held by a set of parties. 
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If an authenticated key establishment protocol provides even key confirma- 
tion, the keys the parties get are said to be explicitly authenticated. 

The protocols we present achieve some of the notions we have just given. 
We start by surveying methods based on public key cryptography and, hence, 
computationally secure. Then, we consider unconditionally secure key establish- 
ment protocols. The schemes given in the next subsection are all well described 
in textbook for Cryptography courses. We just recall them to point out the idea 
on which they are based on, but the reader is referred to [94,120] for proofs and 
details. 

3.1 Computationally Secure Public-Key Based Schemes 

Diffie and Heilman [54], in 1976, described a solution for the key establishment 
problem that enabled, for the first time, to avoid the preliminary meeting in a 
secret place. Their landmark paper, moreover, introduced the ideas of public key 
cryptosystem and digital signature scheme, even if the first real scheme was given 
in [107]. Recently, it has been pointed out that the same ideas were previously 
discovered by researchers at Bletchley Park [20], but were kept secret due to 
military reasons. The interested reader is referred to [111] for a detailed and 
pleasant historical reconstruction. 

The scheme proposed by Diffie and Heilman is very simple and works as 
follows: 



Diffie-Hellman Scheme 

Let p be a large prime and let p be a generator of Z*. 

1. Alice chooses a random value 2 < x < p — 2 and sends to Bob. 

2. Bob chooses a random value 2 < y < p — 2 and sends to Alice. 

3. Alice and Bob compute the common key 

g-y = (g-)V = (gVf. 



The security of the scheme is based on the difficulty of computing the discrete 
log in Z*. More precisely, 

Defiuitiou 8. Let p be a prime and let Z* be the multiplicative over Zp. Let g 
be a generator of Z*. Given a € Z*, the value x such that g^ = a is called the 
discrete log (or index) of a with respect to g. 

If p is a large prime, computing the discrete log in Z* is presumed to be 
computationally infeasible. The best known algorithms at the state of the current 
knowledge require sub-exponential time in the size of p. In the literature, the 
computation of the discrete log is referred to as the Discrete Log Problem, {DL, 
for short). 

The idea of the Diffie-Hellman scheme can be easily generalized to groups of 
more users. It is just necessary to exchange information in a circular way. For 3 
users, for example, the scheme works as follows: 
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Generalised Dijfie- Heilman Scheme 

Let p be a large prime and let g be a generator of Z*. 

1. Alice chooses a random value 2 < a: < p — 2 and sends to Bob. 

2. Bob chooses a random value 2 < y < p — 2 and sends g^, g^ and 
to Cher. 

3. Cher chooses a random value 2 < z < p — 2 and sends g^^ to Alice 
and g^^ to Bob. 

4. Alice, Bob and Cher compute the common key 



One of the disadvantage of the above extension of the Diffie-Hellman scheme 
is that, when the number n of users grows up, the scheme requires 0(n) commu- 
nication steps. The interested reader is referred to [117,118] for ’natural’ exten- 
sions of the Diffie-Hellman key exchange. Moreover, he can consult some recent 
papers [37,38,39,40] and the references therein quoted. 

Notice that, the Diffie-Hellman scheme (and its extensions) can be imple- 
mented in any group G, instead of Z*, which is supposed to be difficult for the 
DL problem. 

From a security point of view, these schemes are secure against an adversary, 
said to be passive, who just listen the conversation: indeed, due to the difficulty 
of the discrete log problem, the knowledge of g^ and g^, does not enable to 
compute X and y and, hence g^^. On the other hand, seems that there is no 
better way of using g^ and g'^ to compute g^^. The computation of given 
g^ and g^ is usually referred to as the Diffie-Hellman problem {DH, for short). 
There is no general reduction at the state of the current knowledge of the DL 
problem to the DH problem, even if in the last years it has been shown [93] that 
it is possible to construct groups for which breaking the Diffie-Hellman protocol 
is provably as hard as computing discrete logarithms and this equivalence holds 
for any group if a number theoretic conjecture holds^. 

Notice that the Diffie Heilman Scheme can be used in a non-interactive fash- 
ion if each user Ui publishes his choice/public-key yt = (/“• and uses at to com- 
pute the common key shared with another user. More precisely, to compute the 
common key with user Uj he computes {yj)°’' = (5“^)“b 

With this approach the key between any pair of users is fixed forever, while 
with the interactive version of the protocol, freshness of the key is guaranteed. 
In each session the users can compute a new key. 

The Diffie-Hellman scheme can be subject to active attacks: an active adver- 
sary can modify or inject messages along the channel. A common strategy that 
can be applied is the so called meet in the middle attack. This strategy can be 
described as follows: 

^ The security of the DL and of the Diffie-Hellman problems has been studied in 
several papers. To name few, see [33,35,114]. 
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Meet-in-the-Middle- Attack. Assume that Eve intercepts and changes the 
messages sent, according to the steps of the protocol, by Alice to Bob and vice 
versa. More precisely. Eve intercepts and sends to Bob. Then, Eve inter- 
cepts the reply g^ that Bob sends to Alice, computes and sends g^ to Alice. 
At this point Eve shares with Alice and g^ ^ with Bob. She can filter the 
conversation, while Alice and Bob think they are talking to each other. 

Matsumoto, Takashima and Imai have constructed several interesting key 
agreement protocols by modifying the Diffie-Hellman protocol. The following 
MTI scheme [89] has been designed to cope with meet-in-the-middle attacks. 



MTI Scheme 

Let p be a large prime and let g be a generator of Z*. Moreover, let 

Pa = 3 “ be Alice's public key and let Pb = g^ be Bob's public key. The 
public keys are certified by a trusted authority TA. 

1. Alice chooses a random value 2 < x < p — 2 and sends to Bob. 

2. Bob chooses a random value 2 < y < p — 2 and sends g^ to Alice. 

3. Alice and Bob compute the common key 

k = {gy)-p- = {g-)bpv = (gb-+-y)_ 



The use of the public keys mutually authenticate the users. In other words, 
both users are sure of the identity of the other party. However, the authentication 
is implicit since there is no key confirmation. In this scheme Eve can still avoid 
that Alice and Bob establish a common key but the meet-in-the-middle attack 
does not work. 

Notice that, even in the non-interactive version of the DH protocol, if the 
public key yi = g°‘' is certified by a trusted authority, the key establishment 
scheme provides implicit authentication. 

Another well-known variant of the Diffie-Hellman protocol is the Station- 
to-Station protocol (STS, for short). This scheme, introduced by Diffie, Van 
Oorschot, and Wiener [55], uses a symmetric cryptosystem and a digital signa- 
ture scheme. 



STS Scheme 

Let p be a large prime and let g be a generator of Z*. Moreover, let 
(Pa,Sa) be Alice's public and private keys, and let (Pb,Sb) be Bob's 
public and private keys. The public keys are certified by a trusted au- 
thority PA. Finally, let if be a symmetric encryption scheme. 

1. Alice chooses a random value 2 < x < p — 2 and sends to Bob. 

2. Bob chooses a random value 2 < y < p — 2 and sends g^ and 
Ek{SB{g'^,g^)) to Alice. 

3. Alice sends to Bob Ek{SA{g^,g^))- 
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The scheme provides explicit authentication. Key confirmation is given by 
means of the encryption Ek where k = . 

Other interesting versions of the Diffie-Hellman scheme are represented by 
the so called Gunther’s Scheme [69] and Girault’s Scheme [66]. In these cases, 
the keys the user gets are implicitly- certified or self- certified. The scheme still 
requires a trusted authority. Moreover, in the following scheme, a hash function 
h is used by the parties. 



Gunther’s Scheme for implicitly -certified keys 

1. The trusted authority TA selects a prime p and a generator g of 
Zf. Moreover, TA selects a random 1 < t < p — 2 such that 
gcd {t,p— 1) = 1 as its private key, and publishes its public key 
u = g* mod p, along with g and p. 

2. T A assigns to each party A an identifier and a random value kA 
subject to gcd {kA,p— 1) = 1. Then, TA computes Pa = g^^ mod p 
and solves for a the equation 

h{lA) = t ■ Pa + kA ■ a mod {p — 1). 

3. T A securely sends to A the pair {Pa, a). 

4. Any other party can reconstruct A’s public key {Pa)°‘ by computing 

pa ^ gh(lA) . y^-PA p 



The aim of this procedure is to avoid the overhead due to the use of cer- 
tificates. Indeed, in this case there is no certificate associate with the keys but 
every user is guaranteed that belongs to A, due to the procedure applied by 
TA to generate the public keys. Implicitly-certified keys can be used to set up 
variants of the DH protocols. For example: 



Gunther’s Key Agreement Scheme 

1. AZzce sends {I a, Pa) to Bob. 

2. Bob chooses a random value y, and sends {Ib, Pb,Pa mod p) to Al- 
ice. 

3. Alice sends to Bob (Pb)^ mod p. 

4. Alice and Bob compute the same key k as 

k = = {PD^Pb)^ = . 



The reader is referred to [66] for the Girault’s scheme, where the key are 
self-certifying, i.e.,only the user knows the corresponding private key, compared 
to the Gunther’s scheme. More details and references can be found in [94,120]. 
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3.2 Key Transport 

All the protocols described before enable two or more parties to agree on a 
common secret key. Each party plays a role in establishing the key. In this section 
we describe a smart technique, attributed to Shamir [80], enabling one party to 
send to another party a secret key for subsequent cryptographic uses. 

Shamir’s idea is the following: Alice chooses a key K, puts it in a box with 
a lock, and sends the box to Bob. Bob adds another lock and sends it back to 
Alice. Alice removes her lock and sends again the box to Bob. At this point. 
Bob removes his lock, opens the box, and recovers the key K. Therefore, with a 
3-step protocol, they obtain a common key (chosen by Alice). 

Shamir’s Scheme 

Let p be a prime and let Z* be the multiplicative group over Zp. 

1. Alice and Bob choose secret random numbers a and b, coprime with 
p — 1, and compute a~^ and b~^, respectively. 

2. Alice chooses a key K and sends Ai“ mod p to Bob. 

3. Bob computes and sends (AT“)^ modp to Alice 

4. Alice computes and sends (K^) = modp to Bob. 



At the end of the execution both share the key K. The protocol is based on 
the DL problem but it can be rewritten using any suitable symmetric encryption 
scheme. However, some attention is required since, for example, if one uses the 
Vernam cipher, then the xor of the three messages exchanged gives the key Kl 
Notice that Shamir’s scheme enables one party to transport a key to another, 
assuming that the two parties do not share a priori a secret key. Instead, assum- 
ing that both users already share a long term key, several techniques to establish 
a session key have been proposed, from very simple ones, where one party en- 
crypts and sends the key to the other party, to more refined challenge-response 
protocols [94]. As we will point out later, session keys are useful for many rea- 
sons and in several settings. To exemplify the approach, we describe a protocol 
which provides mutual entity authentication (i.e., each entity is guaranteed of 
the identity and availability of the other) and implicit key authentication, and 
is based on symmetric primitives. 

In the following scheme [10], we assume that Alice and Bob share two long- 
term symmetric keys K and K . Moreover, hK is a keyed hash function, used 
for entity authentication, and hj^' is a keyed hash function, used to compute the 
session key. 

Authenticated Key Exchange Protocol (AKEP2) 

Let idA and ids be Alice’s and Bob’s identifiers. 

1. Alice generates and sends a random number rA to Bob. 

2. Bob replies with the message (T, hK{T)), 

where T = (idB,idA,rA,rB) and is a random number. 

3. AZzce sends {idA,rB),hK{idA,rB). 

4. Alice and Bob compute the session key as S' = hp^'{rB) 
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The interpretation of the steps is quite straightforward. Key authentication 
is implicit since there is no confirmation at the end of the protocol. Entity 
Authentication is obtained by using Hk and the random numbers tatTb- 

Session keys can even be established by using public key techniques which go 
from the trivial solution of one party that generates and sends the session key 
to the other, to complex and well-designed schemes which use public key cryp- 
tosystems and digital signature schemes. To give an example of this approach, 
we describe one protocol of the standard X.509 [75]. It provides mutual entity 
authentication and implicit key authentication. 



X.509 Strong Two-way Authentication (Simplified Version) 

1. Alice constructs a message Ma = {tA,rA, B, Psiki)) and sends to 
Bob 

cert A , Ma, Sign a (Ma) ■ 

2. Bob constructs a similar message Mb = {tB,rB, A,rA, PA{k 2 )) and 
sends to Alice 



certB, Mb, SignB{MB). 



The protocol requires two steps. The messages Ma and Mb contain time 
stamps tA,tB, random numbers UA,rB, public identifiers A and B of Alice and 
Bob, and the encryptions with public keys of the secret values k\,k 2 , chosen by 
Alice and Bob, respectively. Each user sends to the other the message, his own 
signature of it, and a certificate for his/her public key. At the end of the proto- 
col they share two secrets, implicitly authenticated. Time stamps and random 
numbers are used to avoid attacks, called reply attacks, in which the adversary 
stores and re-sends later on the same message, in order to share a key with one 
of the parties. 

Many other protocols, based on the use of the same cryptographic primitives, 
providing slightly different messages and number of steps, have been proposed in 
the recent years. Some interesting protocols which use both symmetric primitives 
and public key primitives to establish session key, have been described as well. 
The Beller-Yacobi [14,15] is a well-known example of these schemes, which are 
said to be hybrid schemes. 

To close this brief overview of computationally secure key establishment 
schemes, we would like to stress one more time the existence of a large number of 
papers that concern with this topic. The literature is really rich. And we would 
like just to give to the interested reader some more references about papers that 
he can decide to consult, like [2,4,8,10,12,13,16,19,31,36,41,42,45,46,50,51,52,53], 
[55,56,60,67,70,82,79,83,86,102,110,115,125,126,127,129,130,131,132]. Such a list 
is absolutely not exhaustive of the work that has been done in the last years, as 
the reader can find out browsing journals and conference proceedings related to 
cryptography and theoretical computer science in general. 
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3.3 Unconditionally Secure Schemes 

Key establishment protocols secure against an unbounded adversary are said 
to be unconditionally secure: in other words, their security is not related to 
computational assumptions on the power of the adversary and on the amount 
of resources he can have access to. In this setting, the properties the protocol 
must satisfy are given by using the tools of the Probability Theory. Further, 
several dehnitions can be easily stated by using Information Theory and the 
Entropy Function. Since in our presentation we are going to use such tools, we 
start by briefly recalling some notions. Most of the material of these subsections 
can be found in [121], which is a complete overview of unconditionally secure 
key predistribution schemes and broadcast encryption schemes. 

Information Theory Background. Let X be a random variable taking values on 
a set X according to a probability distribution {Pyi{x)}xex- The entropy of X, 
denoted by HfX), is dehned as 

//(X) = -^Px(x)logPx(a:), 

xeX 

where the logarithm is relative to the base 2. The entropy satishes 

0<H{X)<log\X\, 

where HfX.) = 0 if and only if there exists Xq G X such that Pr(X = xq) = 1; 
whereas, HfX.) = log jXj if and only if Pr(X = x) = 1/|X|, for all x € X. The 
entropy of a random variable is usually interpreted as a measure of the: 

— “Equidistribution” of the random variable. In this case, the entropy function 
is simply a mathematical function which says if the distribution of the ran- 
dom variable is close (i.e., HfX.) « log jXj) or far (i.e., H{X) « 0) from the 
uniform one. 

— Amount of information given on average by the random variable. Assume 
that the random variable represents an experiment, and we have to take a 
decision depending on its outcome. Then, if the result is determined (i.e., 
HfX.) = 0), it gives us no information in order to take the decision. We can 
decide without looking at the experiment because we already know what 
will be the result. On the other hand, if the output is totally random (i.e., 
H{X) = log iXj), the knowledge of the result can help us (i.e., gives infor- 
mation) about the appropriate decision. 

Given two random variables X and Y, taking values on sets X and Y, re- 
spectively, according to a probability distribution {Px.Y{x,y)}xex,yeY on their 
Cartesian product, the conditional entropy iL(X|Y) is defined as 

H{X\Y) = ~Y.Y. ^Y(y)Px|Y(a:|2/)logPx|Y(a:|y). 

ySY x^X 
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Since _ff(X|Y) can be re-written as Py( 2 /)^^(X|Y = y), it follows that 

i?(X|Y)>0. (1) 

with equality if and only if X is a function of Y. Along the same line, the 
conditional entropy is a measure of the amount of information that X “still 
has”, once given Y. 

The mutual information between X and Y is given by 
I(X;Y) = H{X) - H{X\Y). 

Since, I(X; Y) = J(Y;X) and /(X; Y) > 0, it is easy to see that 

H{X) > H{X\Y), (2) 

with equality if and only if X and Y are independent. The mutual information 
is a measure of the common information between X and Y. 

The protocols we discuss later on can be concisely described by using a 
common framework. Key P redistribution Schemes, Key Agreement Schemes and 
Broadcast Encryption Schemes, can all be defined in terms of the entropy func- 
tion by means of few equations. Thus, we start by outlining the model we consider 
in the following: 

Model. Let TA be a trusted authority and let W = {1, . . . , n} be a set of users. 
Each user is connected with the T A hy means of a private channel. Moreover, 
T A and users have access to a broadcast channel. 

In a Key Predistribution Scheme the T A generates and distributes secret 
information to each user along the private channels. The secret information 
enables later on several subsets of users to compute secret keys. More precisely, 
if 2^ denotes the set of all subsets of users U, we define P C 2^ to be the family 
of privileged subsets of U who need a common key, and .7^ C 2^ to be the family 
of forbidden subsets, i.e., the possible coalitions of U against whom each key 
must to remain secure. After the distribution phase performed by the TA, each 
privileged subset P G P is able to compute the key kp associated with P. On 
the other hand, no forbidden subset F G T, disjoint from P, is able to compute 
any information about kp. We stress that in such schemes each user computes 
the keys by using the secret information and possible some public information 
available across the system, but no interaction either with the users or with 
the T A is required. In a certain way, the keys are predetermined by the secret 
information. 

The information given to user i through a private channel can be denoted, for 
i = 1, . . . , n, by Ui G Ui, where Ui represents a set of possible values. Moreover, 
for any subset X = {ii, . . . , ik} C U, we denote by Ux = Ui„ , ■ • ■ , the usual 
Cartesian product. 

We assume that there is a probability distribution on Uu, and the TM chooses 
uu G Uu according to this probability distribution. Using the above notation, 
we can state the following: 
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Definition 9. A {V ,T)-Key Predistrihution Scheme ({V ,T)-KPS, for short) 
is a protocol divided in two phases: a distribution phase, performed by the T A, 
and a key computation phase, performed by the users, satisfying the following 
properties: 

— Each user i in any privileged set P can compute kp. More formally, for all 
i G P, 

H{Kp\\J,) = 0. 

— No forbidden subset F, disjoint from any privileged subset P, has any infor- 
mation on kp. More formally, for all P €V and F G iF such that PDF = 0, 

H{Kp) = H{Kp\Vp). 

A trivial Key Predistribution Scheme consists in giving to each possible sub- 
set P of privileged users a secret key Kp. 



Basic KPS 

— Distribution Phase. The PA chooses a value kp £ 1C for each P £ P and 
gives the value to every user i £ P. 

— Key Computation Phase. Every user i just looks up in his or her memory 
the key kp. 



Notice that with this solution there is no real key computation phase: each 
user gets the keys corresponding to the groups in which he belongs. Moreover, 
it is easy to see that any coalition F iT P = 0 has no information on kp. 

The main problem with the above scheme is the large amount of secret keys 
that each user has to store. Using the language of Information Theory, we can say 
that the efficiency of a KPS is measured by the amount of secret information that 
the T A distributes and that each user has to share. More precisely, two measures, 
the information rate and the total information rate, are defined respectively as 



n = min 



H{1C) 



and pt 



H{1C) 

H{\JuY 



The first measure is the minimum ratio between the size of the secret key 
and the size of the secret information given to the user. The second is the ratio 
between the size of the secret key and the size of the total secret information 
given to the users in lA. 

Coming back to the Basic Scheme, if P is the set of all subsets of U of size t 
we can denote the (P,F)-KPS as a (t,F)-KPS. Along the same line, if V is the 
set of all subsets of 14 of size at most t we will use the notation (< t,F)-KPS. 
Moreover, if T is the set of all subsets of U of size (at most) uj, we will refer to 
a (P,w)-KPS, {{V,< w)-KPS, respectively). 

From the above construction, easily follows the next results: 
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Theorem 1. For any t > 1, there is a {t,< n)-KPS having information rate 
and total information rate equal to 

P=jr^ and = 

If t = 2, the above result states that the basic scheme enables any pair of 
users to privately communicate against any disjoint coalition of at most n — 2 
users by given n — 1 secret keys to each user. Further, the T A has to generate 
(n) _ n{n-i) ]^gyg^ literature this large amount of keys that must be 

generated is well-known as the problem and was the motivation for further 
researches. Indeed, given the high complexity of such a distribution mechanism, 
a natural step is to trade complexity for security. We may still require that keys 
are unconditionally secure, but only with respect to coalitions of a limited size. 

In order to reduce the number of keys that each user has to store and the T A 
has to generate in the Basic Scheme, Blom [21] introduced a scheme enabling a 
tradeoff between the number of keys that the user has to store and the size of a 
coalition of adversary that can break the scheme. The protocol he gave in [21] 
can be described as follows: 



Blom’s Scheme 

— Distribution Phase. Let q > n. The FA chooses n distinct random num- 
bers Si G GF{q), and gives Si to nser i, for i = l,...,n. These values 
are public identihers for the users. Then, the FA constructs a random 
bivariate polynomial 

U) UJ 

fix,y) = 

i=0 j=0 

having coefficients in GF{q), such that Uij = aji for all i,j. 

— For i — 1, . . . , n, the FA computes the polynomial 

gi(x) = f{x,Si) = y^hjjx\ 

3=0 

and gives the ui -\-l values bij to user i. 

— Key Computation Phase. Users i and j compute the key 

kp = 9i{sj) = gj{si). 



The original formulation of the scheme uses MDS codes [21], and the in- 
terested reader can consult [94] for the original description of Blom’s scheme 
and some background on MDS code as well. Blom’s scheme was reformulated 
in terms of symmetric polynomials in [26] , where a generalization to the case of 
ft, < u;)-KPS was given. More precisely: 
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Blundo’s et al. Scheme 

— Distribution Phase. Let q > n. The PA chooses n distinct random numbers 
Si G GF{q), and gives Si to user i, for i = 1, . . . ,n. These values are public 
identifiers for the users. Then, the T A constructs a random n- variate 
polynomial 

U1 U 

f{xi,. • • = ^ • • • ^ ai^...itx'^ ...x^\ 

il=0 it=0 

having coefficients in GF{q), such that ~ o-ji-.-jt ^^or any permuta- 

tion ji . . . jt of the set of indices h .. .it. 

— For i = 1, . . . , n, the PA computes and sends to user i the polynomial 

gi{X 2 ,...,Xn) = f{Si,X 2 ,...,X„) 

— Key Computation Phase. Any set of t users P = {ii, . . . , it} computes the 
key 

hp = Qii {si2 , • • • , Si^ ) ~ ~ Qit 5 • • • 5 )• 



Blom’s Scheme and its generalization, by a simple counting argument, lead 
to the following result: 

Theorem 2. For any t > 2 and oj > 1, there exist a (t,< uj)-KPS having 
information rate and total information rate equal to 

P ~ dT = Jt~f^ ■ 

Moreover, in [26] it was shown, using Information Theory arguments, that the 
Basic Scheme, the Blom’s Scheme and the Blundo’s et al. Scheme are optimal 
in terms of information rate and total information rate. 

Another {V, .7^)-KPS was proposed by Fiat and Naor in [58]. It was presented 
as a zero- message broadcast encryption scheme (which will be defined later) but, 
as pointed out by Stinson, it turns out to be actually a KPS. More precisely, the 
scheme they described is an (< n, < w)-KPS. 

Fiat-Naor Scheme 

— For every subset F (- P, where P is the set of all subsets of cardinality 
at most to, the PA chooses a random value sf G GF{q) and sends sf to 
every member ofU\F. 

— A priviliged subset P computes 



kp 



F€T:FnP^0 



It is easy to see that a key kp, computed by the set of users P, is secure 
against any FgP: Fr\P = lJ) since no user belonging to the subset F gets the 
value sp associated with F. 
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Stinson, in his survey [121], pointed out that the Basic Scheme and the Fiat- 
Naor Scheme can be seen as instances of a more general construction based on 
the idea of key distribution patterns, introduced by Mitchell and Piper in [95]. 
(For constructions see also [105,122]). 

Definition 10. Let B = {Bi, . . . ^Bp} he a set of subsets ofU. The pair {U,B) 
is a {V,T)-Key Distribution Pattern ({V,T)-KDP for short) if for all P G V 
and F G T such that P fl F = 0 it results: 



{Bj : P Q Bj and F (1 Bj = ^ 0. 

Loosely speaking, the above definition requires that each P G V is “embed- 
ded” in a Bj G B, disjoint from all F : F fl P = 0. 

A (P,F)-KPS scheme can be constructed by using a {14,B)-KDP as follows: 

KDP-Based Scheme 

— For every subset Bj G B the TA chooses a random value Sbj G GF{q) 
and sends SBj to every user in Bj. 

— A priviliged subset P computes 

fep = X! • 

Bj-.PCBj 



The scheme works because every user i G P can compute the key, i.e., if 
i G P then i G Bj. Hence, he gets SBj for all Bj : P G Bj. On the other hand, 
every F will miss at least one value sb for a subset Bj such that P C Bj and 

Pj n F = 0. 

Many examples of such a construction are given in [121], and the interested 
reader is strongly encouraged to read that paper. 

The main drawback of Key Predistribution Schemes lies in the high memory 
storage requirement. In order to avoid such heavy requirement, a second ap- 
proach to the key establishment problem, allowing interaction among the users 
to compute a common key, was introduced. More precisely, during the Key Com- 
putation Phase, the members of a group G, using the secret information received 
in the Distribution Phase, interact to agree on a key, by exchanging encrypted 
messages among themselves via the broadcast channel. Any disjoint coalition of 
adversaries F that hears the communication is still unable to gain any informa- 
tion about it. This approach, usually referred to as unconditionally secure key 
agreement, initiated in [26], was continued by Beimel and Chor [6,7] and it was 
aimed to reduce the size of information each user must keep secret. 

Denoting by the random variable taking values on the set Ci and repre- 
senting the messages received by user Ui during the key computation phase, sent 
by the other users of the system, and using again the language of Information 
Theory, such schemes can be defined as follows: 
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Definition 11. A {V ,T)-Key Agreement Scheme ({V ,T)-KAS, for short) is 
a protocol divided in two phases: a distribution phase, performed by the T A, 
and a key computation phase, performed by the users, satisfying the following 
properties: 

— Each user i in any privileged set P can compute kp by using the private in- 
formation received in the distribution phase and the messages received during 
the key computation phase. More formally, for all i € P, 



H{Kp\\J,C,) = 0. 



— No forbidden subset F, disjoint from any privileged subset P, has any infor- 
mation on kp. More formally, for all P €V and F € P such that = 0, 

H{Kp) = H{Kp\VfCf). 

Even for key agreement schemes, the performances are measured by an in- 
formation rates, a communication rate and a total information rate, defined 
respectively as 



p = min 



H{!C) 



. H{1C) 



^ . H{IC) 

and pt = mm 

P(^v H{\JuCp) 



The first measure is the minimum ratio between the size of the secret key and 
the size of the secret information given to the user. The second is the minimum 
ratio between the size of the secret key and the size of the messages received 
by users i G P; while the third measure is the minimum ratio between the size 
of the secret key and the total secret information given to the users in U along 
with the messages exchanged Cp to compute a common key. 

Unfortunately, in [6], the authors studied key agreement schemes for groups 
of users G of size g and coalitions of adversaries F of size b, and they proved 
that the interaction cannot help in reducing the size of the pieces of information 
given to the users compared to the non interactive model we have seen before. 
Hence, in order to decrease the size of the secret information, we have to relax 
the security requirements. We can require the key agreement scheme to be secure 
only a fixed number of times, say r, defining t - restricted key agreement schemes. 
In such schemes we limit to r the number of groups of users, whose identity is 
not known beforehand, that can compute a common key in an unconditionally 
secure way. For such schemes Beimel and Chor in [6,7] realized a one-restricted 
scheme, where the size of pieces given to users is smaller than in unrestricted 
key agreement schemes. In the literature a one-restricted scheme is also referred 
to as a one-time scheme, because it can be used to compute only one common 
key by a single group of users of the system. 

In [29] the authors presented a generalization of the one-restricted scheme 
proposed by Beimel and Chor [6,7] using tools from design theory. In order 
to give an example of an unconditionally secure Key Agreement Scheme, we 
describe this scheme [29]. However, we need some definitions and results from 
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design theory. Compared to other protocols we have seen before, the description 
of the following one is a bit more complicated but, at the same time, it is a good 
example of the elegant and refined use of combinatorial structures that often is 
done in Cryptography. 



Definition 12. A design is a pair (V,B), where V is a set of n elements (called 
points^ and B is a set of subsets of V of a fixed size k, where k > 2, (called 
blocks j. 

Designs with suitable features are resolvable design. 

Definition 13. A parallel class of {V,B) consists of n/k blocks from B which 
partition the set V. The design (V,B) is said to resolvable if the set of blocks, B, 
can be partitioned into parallel classes. If B consists of all k-subsets of V, then 
(V,B) is called the complete k-uniform hypergraph on V. 

We will use the following theorem of Baranyai, a proof of which can be found 
in [84] (Theorem 36.1) 

Theorem 3. The complete k-uniform hypergraph on n points is resolvable if 
n = 0 mod k. 



Notice that in the following the sets elements are being listed sequentially in 
increasing order. 

A Protocol for one-restricted key agreement scheme: Let U = {l,...,n} be a 
set of n users and let G C W be a group of users of size g. Suppose that £ > 2 
is an integer such that g = 1 mod {£ — 1) and that A: > 1 is an integer. The 
set-up phase consists of the T A distributing secret information corresponding 
to a Blundo’s et al. (£, b-\- g — £)-KPS described before, implemented over {ZpkY, 
with p prime. For an Gsubset of users A, we denote by kA the key associated 
with A. We will think of kA as being made up of £ independent keys over Zpk , 
which we denote by . . . , kA,e- 



Each user /i of a group G performs the following steps: 

1. Chooses a random value = (mj, . . . , m[l) G {Z^kY , where r = (JZ 2 ) ■ 

2. Partitions the complete {£ — l)-uniform hypergraph on G \ {h} into r 
parallel classes Ci, . . . ,Cr, which all consist ofy = (5~1)/(^~1) blocks 
that we denote with Bf j, for 1 < i < r and 1 < j < X- 

3. For each block Bfj denote with B(i,j, h) the set U{/i} = {xi, . . . , Xi}, 
and let of ■ denote the index such that x h = h. 

4. Encrypts each m(‘ using the y keys by defining 

mod 

for 1 < i < r and 1 < j < X- 

5. Broadcasts the vector 



ih 






The secret key is the value ko = {mA\ . . . , m*-®!) which can be decrypted by 
anyone in G from the global broadcast ba = {b^^\ . . . , . 
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The next simple example illustrates the steps of this protocol. 

Example 1. Suppose that g = 5 and i = 3. Note that 5=1 mod 2. Suppose 
that the group set is G = {1,2, 3, 4, 5}. For each user i G G, we partition the 
2-subsets of G\{t} into r = 3 disjoint parallel classes. Below, we describe only 
the ones related to user 4. 

Ct = {{1,2}, (3, 5}}, = {{1,3}, {2, 5}}, 

G| = {{1,5}, {2, 3}}. 

Consider the computations performed by user 4. First, user 4 picks three random 
values (i.e., his part of the key), say m{,TO 2 ,m| G Zpk. Next, he computes the 
relevant a values. These are as follows: 

of 1 = 3, Q;{ 2 = 2, 02,1 “ 

c^2,2 = 2, 03 2 = 2, o| 2 = 3 . 

This determines the values broadcasted by user 4: 

foG) = mf + fc{3,4,5},2) ^2 + ^{1,3, 4}, 3) 

771.2 + fc{2,4,5},2) ^3 + ^{1,4, 5}, 2) 4773 + ^{2, 3,4}, 3 )- 



A 

The security of the above protocol derives from the observation that any 
coalition F of b users such that FflG = 0, has no information about the key after 
the observation of the broadcast, even if they pool all their secret information. 
Indeed, as proved in Lemma 3.3 of [29], the (®) keys used by the group appear 
to any disjoint coalition to be independent random elements of Zpk. Since each 
of these keys is used exactly once (the definition of the indices j ensures that 
every JtAj is used to encrypt exactly one rriij's), they function as a series of 
one-time pads. 

Notice that, using r copies of a one-restricted scheme, we can set up a scheme 
which is secure for r conferences. Such an approach, even though it allows us to 
construct a scheme in a straightforward manner, does not give rise to a scheme 
which is optimal with respect to the size of the information kept by each user [23] . 

The third approach to the Key Establishment Problem is represented by the 
so-called broadcast encryption schemes. In this case, the trusted authority T A, 
during the distribution phase of the scheme distributes private information to 
the users, through the secure point-to-point channels. Later on, the T A enables 
a privileged subset P of the users to recover a common secret key by broadcasting 
an encrypted message, that only users in P can decrypt. 

Denoting by B the random variable that takes values on the set B, represent- 
ing the broadcast (encrypted) message sent by the T A, a, broadcast encryption 
scheme can be defined as follows: 
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Definition 14. A {V,T)- Broadcast Encryption Scheme ({V ,T)-BES, for short) 
is a protocol divided in two phases: a distribution phase, performed by the T A, 
and a key computation phase, performed by the users and the T A, satisfying 
the following properties: 

~ Each user i in a privileged set P can compute kp by using the private infor- 
mation received in set up phase and the broadcast message sent by the T A 
during the key computation phase. More formally, for all i G P, 



il(Kp|U,Bp) = 0. 



— No forbidden subset F , disjoint from any privileged subset P, has any infor- 
mation on kp. More formally, for all P €V and F G P such that = 0, 

H{Kp) = iJ(Kp|UpBp). 



For broadcast encryption schemes, the performances are measured by 



HjlC) 



p = mm 



Pb = mm 



PeP il(Bp) ’ 



and pt = min 



H{IC) 



Pev 



where the meaning is exactly the same holding for key agreement schemes, 
with the only difference that, instead of considering the messages exchanged, 
the above measures consider the messages broadcasted by the dealer during the 
broadcast phase. 

The first broadcast encryption schemes we are going to consider are the one- 
level and multi-level schemes described in [58]. To get started, we recall the 
following definition: 

Definition 15. An {n,m, to) -perfect hash family is a set H of functions 



f : {l,...,n} ^ {!,... ,m} 



such that, for every subset X C {!,..., n} of size co, there exists a function 
f € H whose restriction fx to X is one-to-one. 

An (n, m, w)-perfect hash family is usually denoted by PHF(A^, n, m, w), 
where I'Hj = N. Fiat and Naor, in their paper, gave some one-resilient schemes, 
i.e., schemes secure against attacks performed by one user. Then, by using a 
bunch of one-resilient BES schemes and a PHF(A^, n, m, w), they set up an w- 
resilient BES schemes. 

A first (unconditionally secure) construction for one-resilient scheme is given 
by the so-called zero message broadcast encryption scheme that we have already 
presented in the context of key predistribution schemes (i.e., Fiat-Naor KPS). 
Moreover, two computationally secure one-resilient schemes were given. We de- 
scribe the second one: 




The Key Establishment Problem 



67 



One-resilient BES based on a computational assumption 

— The dealer chooses two large primes p, q and computes n = pq. It also 
chooses a secret value g G Z*. Then, for each user i, he computes and 
sends to the user a secret key gi = g^' . The values pi, ... ,p„ are public 
and such that, for each i ^ j, it results pi ^ Pj. 

— A privileged group G computes a common key go by using the public 
values pi, . . . ,pn. More precisely, user i £ G can compute go by evaluating 

rijeG\{t}^^ j 

g^ mod n. 



It is easy to see that each user in G computes the same key. Moreover, it 
is possible to show that if some user j ^ G could compute the common key 
for G, then the user can even compute the secret value g chosen by the dealer. 
Therefore, assuming that extracting roots modulo a composite n is hard, the 
scheme is secure. For details the reader is referred to [58]. 

Using one-resilient schemes and a family of perfect hash functions, an lu- 
resilient scheme can be described as follows: 



u) -resilient BES 

For 1 < i < N and 1 < j < m let R{i,j) be a (n, 1)-BES scheme, and 
let PHF(iV, n, m, O') be a family of perfect hash functions. 

— Set up Phase. The dealer sends to every user i € {I, . . . ,n} the keys 
associated with him by the scheme R{i, fj{i)), for any j = 1, . . . , N. 

— Broadcast Phase. The dealer, to send message m, chooses — 1 
random elements mi, . . . , m^-i and computes 

rriN = mi 0 0 nriN-i ® rn 

— Then, he broadcasts, for j = 1, . . . , A^, the values m^ to the users 
belonging to P C {1, . . . , n} by means of the schemes R{j, fj{i)), for 
any i G P. 



Every user in P can recover all the mj’s and can compute the message by 
a simple xor operation. On the other hand, the properties of the hash family 
guarantee that, for any subset X = {ii,...iui} of users, one of the function 
fjGPLis one-to-one on X. Hence, the users in X cannot break any of the schemes 
R{j, fj{ii)), . . . , R{j, fj{iuj)) since they are one-resilient and can be broken only 
if at least two dishonest users are associated with the same scheme, i.e., fj{ik) = 
fj(ii) for fc yf £. As a consequence, even if some user in P receives mj by means 
of one of the schemes R{j, fj{i\)), . . . , R{j, fj{i^)), the message m^ cannot be 
recovered by X. Therefore, m cannot be computed by X. 
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The above construction has been re-formulated by Stinson using some de- 
signs. The reader is referred to [121] for details. Notice that if the 1-resilient 
BES, used as a building block, is computationally secure, than the w-resilient 
BES is computationally secure. On the other hand, an unconditionally secure 
1-resilient BES implies an unconditionally secure o'-resilient BES. 

A general construction for BES schemes has been proposed in [121,122]. The 
idea is to use basic Fiat-Naor Schemes in conjunction with an ideal secret sharing 
scheme (ISSS, for short). The goal in [122] was to obtain schemes where each 
user has to store less values and the broadcast messages are shorter compared to 
other constructions. In order to describe the construction we need to introduce 
before the concept of a secret sharing scheme. 

Secret Sharing Schemes. A secret sharing scheme is a method by means of which 
a secret can be shared among a set V oin participants in such a way that qualified 
subsets of V can recover the secret, but forbidden subsets cannot. Secret sharing 
were introduced in 1979 by Blakley [5] and Shamir [112]. The reader can find an 
excellent introduction in [119]. The collection of subsets of participants qualified 
to reconstruct the secret is usually referred to as the access structure of the secret 
sharing scheme. Formally, we have: 

Definition 16. Let V he a set of participants, a monotone access structure F 
on V is a subset F C 2^\{0}, such that 

Ae F, AC A' CV ^ A' e F. 

A secret sharing scheme 27 is a protocol divided into two phases: a distribution 
phase, in which the dealer sends a secret piece of information, called share, 
to every participant, and a reconstruction phase, where the authorized subsets 
of participants, by pooling together their shares, reconstruct the secret. Any 
secret sharing scheme 27 for secrets in S and a probability distribution {p 5 (s)}sgs 
naturally induce a probability distribution on the secret information a held by 
the subset ACT. 

Denoting by A and S the random variables representing the possible shares 
received hy A C V and the possible secret chosen by the dealer, in terms of 
Shannon’s entropy we can state the following: 

Definition 17. A secret sharing scheme S is a perfect secret sharing scheme 
with secrets chosen in S, for the monotone access structure F C2^ if 

1. Any subset of participants A € F can compute the secret: Formally, for all 
A G F, it holds that il(SjA) = 0. 

2. Any subset of participants A F has no information on the secret value: 
Formally, for all A ^ F, it holds that il(SjA) = i7(S). 

Property 1 means that the value of the shares held hy A G F completely 
determines the secret s G S. On the other hand. Property 2 means that the 
probability that the secret is equal to s given that the shares held hy A ^ F are 
a, is the same as the a priori probability of the secret s. 
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The efficiency of a secret sharing scheme is measured by means of an “in- 
formation rate” , which relates the size of the secret with the size of the shares 
given to the participants. More precisely, given a secret sharing scheme S for 
the access structure F, on the set of secrets S, we define the information rate 
p{F,r,S) as 



p{F,r,S) 



log 1^1 

maxpgp log|K:(P)|’ 



where K{P) is the set of possible share for participant P, and 



p{F) = sup p{S,r,S), 



where the sup is taken over the space of all possible sets of secrets S, [S'! > 2, 
and all secret sharing schemes for P. Secret sharing schemes with information 
rate equal to one, which is the maximum possible value of this parameter, are 
called ideal, and an access structure P on 5 is said to be ideal if there exists an 
ideal secret sharing scheme S realizing it. 

An example of a perfect and ideal secret sharing scheme is the well-known 
Shamir’s secret sharing scheme [112] for threshold access structures, i.e., access 
structures where any subset of size greater than k recovers the secret, while any 
subset of size less than k cannot. 



Shamir’s {k,n) -Threshold Secret Sharing Scheme 

1. Initialization. The dealer chooses n distinct, non-zero elements of 
Zp, x \, . . . , Xn, (where p > n-l- 1). For i = 1, . . . , n, the dealer assigns 
the value Xi to user i. The values Xi are public. 

2. Sharing. Let s G Zp be the secret the dealer wants to share. He 
secretly chooses (independently at random) k — 1 elements of Zp, 
say oi, . . . ,Ofc_i. 

3. For i = 1, . . . , n,, the dealer computes j/i = a(xi), where 

j+i 

a(x) = s -f GjX^ mod p. 

k-l 



4. For i = 1, . . . , n, the dealer gives the share yt to participant i. 

5. Reconstruction. The secret s = a(0) can be reconstructed by any 
subset of k participants, say {1, . . . ,k} for example, by computing 
for j = 1, . . . , fc, the coefficients 



bj 



n 

l^s<k,s^j 



Xs 



Xs — Xj ’ 



and, then, the 



Y!}=ibjy3- 
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It is possible to show that, any subset of A: — 1 participants, by pooling 
together their own shares, gets absolutely no information on the secret s [112]. 

Constructions for secret sharing schemes for general access structures were 
first given in [74] and, subsequently, in many other papers (see [119] for refer- 
ences). 

At this point, we can describe the so-called KIO construction, due to the 
use of KPS and ISSS to construct a One-time BES. 

KIO Construction. Let B = {Bi, . . . , B^} be a family of subsets of U, and let 
LO be an integer. For each 1 < j < /?, suppose a Fiat-Naor scheme (< \Bj\,< u) 
is constructed with respect to user set Bj. The secret values associated with 
the j-th scheme will be denoted Sjc, where C C Bj and jCj < lo. The value 
Sjc is given to every user in Bj \ C. Moreover, suppose that T C 2® and there 
exists a T-ISSS defined on B with values in GF{q). Let if F 2^ , and suppose 
the following two properties are satisfied: 

{Bj : i G Bj} G r for every i gU and {Bj : \F (^Bj \ >o)-|-l} (f: B for every F G J-. 

Then, we can construct a (< n,lF)-BES as follows: let P GU. The dealer can 
broadcast a message nip G GF{q) to P using the following algorithm: 



KIO Construction 

1. For each Bj G B the dealer computes a share yj G GF{q) corre- 
sponding to the secret mp. 

2. For each Bj G B the dealer computes the key kj corresponding to 
the set P n Bj in the Fiat-Naor scheme implemented on Bj-. 

% = X! 

C<ZBj-.CPP=H>,\C\<u> 

3. For each Bj G B the dealer computes bj = yj + kj. 

4. The broadcast is bp = {bj : Bj G B). 



The basic idea of the KIO construction can be explained as follows: first, 
consider a user i G P and define Aj = {j : i G Bj}. User i can compute kj for 
every j G Ai. Then, for each j G Ai, i can compute yj = bj — kj. Finally, since 
Aj G F, i can compute the message mp from the shares yj where j G Aj. On 
the other hand, let F G F be such that F O P = 0. Define 

Ap = [j :\F OBj\>u + 1}. 

The coalition F can compute kj, and hence yj for every j G Ap. However, they 
can obtain no information about the shares yj, where j ^ Ap. Since Ap ^ F, F 
has no information about the value of mp. 

For other papers concerning with broadcast encryption the reader is referred 
to [18,27,58,22,28,30,65,76,81,85], to name a few. 
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4 Use of a Trusted Third Party 

Another important approach to solve the key establishment problem requires an 
on-line Trusted Third Party, usually referred to as the Key Distribution Center. 
In this section we discuss the main advantages/disadvantages related to this 
approach, outlining the structures of some of the most common protocols. 

4.1 Key Distribution Center 

A common solution to the key establishment problem relies on the use of a trusted 
party, usually referred to as the Key Distribution Center (KDC, for short), re- 
sponsible for the generation and the distribution of the keys to the users. In 
such a model, every user of the system is connected to the KDC by means of a 
private channel. When 2 or more users wish to privately communicate, one of 
them sends a key-request to the KDC. Then, the KDC generates at random a 
key K and sends in a secure way k to the users. Later on, the users can privately 
communicate by using k. 

This approach was initiated by Needhman and Schroeder [100]. The protocol 
they proposed can be described as follows: Let T denote the KDC. Alice and 
Bob have public identifiers, id a and ids, and share a secret key with T, say kAT 
and ksTi respectively. Moreover, let and rg he random numbers. 



Needham- Schroeder Protocol 

1. Alice sends the message {idA,idB,i"A) to T. 

2. T sends to Alice the message Skj^.^{rA,idBTk,£kBT{^A^A))- 

3. Alice sends SkBTi^cdA)) to Bob. 

4. Bob sends Skirs)) to Alice. 

5. Alice sends £k{i"B ~ 1)) to Bob. 



Let us briefly explain the steps of the protocol. Alice starts by sending her 
identifier id a, Bob’s identifier idg and a random value rA to T. This message 
is basically as a key-request. T replies with an encrypted message for Alice of 
the session key k and of a sub message, encrypted for Bob, containing the same 
session key k. Then, Alice forwards to Bob the part of the message generated by 
T for him. The last two messages they exchange are used to confirm they have 
computed the same key. 

However, as subsequently pointed out, the protocol presents some problems: 
in step 2 the part of the message for Bob is unnecessarily double encrypted. 
Moreover, since Bob has no way to check if the key k obtained in step 3 is fresh, 
if the session key k is compromised, anyone can re-send message in step 3 and 
can correctly compute the message in step 5. 

On the Needham-Schroeder protocol were based many different protocols. 
Among them, the most famous is surely the so-called Kerberos System [101]. 
The system was conceived in 1989 at the MIT and supports both entity authen- 
tication and key establishment using symmetric encryption and a third party. 
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Kerberos System (simplified version) 

1. Alice sends the message {idA,idB,i"A) to T. 

2. T sends to Alice the message {£kBT{^AdA,L),£kj^^{k,rA,L,idB))- 

3. AZzce sends £kBT{^AdA,L),£k{idA,tA) to Bob. 

4. Bob sends Sk{tA) to Alice. 



Notice that the structure is quite close to the structure of the Needham- 
Schroeder scheme. The main difference is the use of a life-time period L for 
the session key, and of a time stamp Ia of Alice’s clock. The value L enables 
to partially avoid the attack described for the Needham-Schroeder scheme. A 
full description of the Kerberos system can be found in [101], while for other 
on-line KDC-based schemes the reader is referred to [94] and to the references 
therein quoted. We just wanted to point out this approach by sketching two of 
these schemes, without going into details that are however of great importance 
in actual implementations. 

Most of the protocols which use a KDC are “proved” to be secure by means 
of empiric arguments: the protocol are strong enough to deal with well-known 
attack strategies. Bellare and Rogaway [9] formally studied the KDC-based ap- 
proach to the key establishment problem. In their paper [9], they proposed a 
formal three-party model, and described protocols with security proofs into the 
so called random oracle model [11]. 

Advantages of Session Keys. The use of a TM to solve the key establishment 
problem is particularly suitable due to the possibility of using session keys. A 
session key is a short-term key, usable for a restricted period of time, after which 
it is destroyed. Many reasons motivate session keys. Basically: 

— Ciphertext attacks. If the key is used in a symmetric cryptosystem, the 
amount of ciphertext an adversary can use in order to break the scheme 
is limited. 

— Breaks in. If the key is compromised, only data protected during the previous 
period are potentially exposed. 

— Memory Storage. To reduce the number of secret keys that users have to 
store: session keys can generated when needed. 

Notice that the use of a KDC is a suitable solution to key establishment, 
since, apart from the “pure distribution” of keys to users, several related key- 
management aspects (i.e., life time, authentication of the communicating entities, 
usage restrictions of a key and so on) can be easily solved with this third party. 
However, as we point out in the next subsection, the use of a KDC could cause 
some problems. 

4.2 Distribution of a KDC 

Our attention in this subsection focuses on a model which remedies some poten- 
tial weaknesses introduced by using a single KDC. Indeed, the main drawback of 
a single KDC is that it works on-line and it must be trusted. Potentially, it could 
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eavesdrop all the communications. Moreover, the center can be a “bottleneck” 
for the performances of the network and, if it crashes, secure communication 
cannot be supported anymore. Last but not least, even if the KDC is honest 
and everything works fine, the KDC still represents an attractive target to the 
adversary. Indeed, the overall system security is lost if the KDC is compromised. 

A frequently used solution to the availability problem lies in the replication 
of the KDC in various points of the network. This strategy reduces the com- 
munication delay which produces a single center but decreases the security of 
the overall system, since there are different physical locations which stores users’ 
private keys that can be broken into. An adversary, which succeeds in controlling 
the center, can understand all the communications. A common solution for this 
problem consists in partitioning the network in various domains with dedicated 
KDCs, responsible of the key management only of a fixed local area. In a par- 
titioned network, an adversary which controls the KDC of a domain has only 
power on a delimited part of the network. 

However, partitioning of the network and replication of the KDC are partial 
and expensive solutions. The partition of a network implies an heavy communi- 
cation overhead for inter-domain KDCs coordination in presence of key requests 
of groups of users which belong to different domains; while, replication of centers 
decreases security and introduces problems of consistence and synchronization 
between the servers during the update processes. As has been pointed out in [97], 
in a multi-cast communication environment with support for virtual meetings 
involving thousands of clients, and data streams transmission to a large group of 
recipients, the availability and security issues of a centralized environment be- 
come even more relevant and difficult to solve than with unicast communication. 

A robust and efficient solution to the above issue could be a new approach 
to key distribution, introduced in [97]. A Distributed Key Distribution Center 
(DKDC, for short) is a set of n servers of a network that jointly realize the 
function of a Key Distribution Center. A user, who needs to communicate with 
a group of users, sends a key-request to a subset of his own choosing of the n 
servers, and the contacted servers answer with some information enabling the 
user to compute the common key. In such a model, a single server by itself does 
not know the secret keys, since they are shared among the n servers. Moreover, 
if some server crashes, secure communication can still be supported by the other 
servers and, since each user can contact a different subset of servers, the slow- 
down factor for the performances of the applications introduced by a single KDC 
can be improved. 

The model we consider in this case is the following: Let U = {Ui,. . . , Um} 
be a set of m users, and let 5i, . . . , S'„ be a set n servers of the network. Each 
user has private connections with all the servers. A scheme to set up a DKDC is 
divided in three phases: An initialization phase, which involves only the servers 
and requires (temporary) private channels] a key request phase, in which users 
ask for keys to servers; and a key computation phase, in which users retrieve keys 
from the messages received from the servers contacted during the key request 
phase. More precisely, the property that must hold are: 
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Properties of a DKDC 

— When the initialization phase correctly terminates, each server Si has to 
be able to compute some private information, denoted by Oi, enabling him 
to answer the key-request messages. 

— Each user in a group Ch must be able to uniquely compute the group 
key, after interacting with at least k servers of his choice. 

— A group key must be secure against attacks performed by coalitions of 
servers, coalitions of users, and hybrid coalitions (servers and users). 



A construction for a DKDC, based on a family of Cwise independent func- 
tions, has been proposed in [97]. A function is Cwise independent if the knowl- 
edge of the value of the function in £ — 1 different points of the domain does not 
convey any information on the value of the function in another point. 

The scheme proposed in [97] enables I groups of users, referred to as confer- 
ences in a set C, not known a priori, to securely compute a common key. The 
family of Cwise independent functions chosen in [97] to construct the scheme 
is the family of all bivariate polynomials P{x,y) over a given finite field Zq, in 
which the degree of a; is fc — 1 and the degree of y is ^ — 1. The protocol can be 
described as follows: Let fc,n be two integers such that k < n, and let G be a 
coalition of users that could try to compute keys for conferences in which they 
do not belong to. Moreover, let £ = maxcau £g be the maximum number of 
conference keys that a coalition G of users can compute, and assume that the 
initialization phase is performed by the first k servers of the system. The full 
protocol can be described as follows: 



Initialization Phase 

— Each of the servers Si, . . . , Sk, performing the initialization phase, con- 
structs a random bivariate polynomial P''(x,y) of degree fc — 1 in a:, and 
€ — 1 in 2 / by choosing k ■ I random elements in Zq. 

— Then, for i = l,...,k, server Si evaluates the polynomial P'’{x,y) in 
the identity j of Sj, and sends Qj{y) = P'’{j,y) to the server Sj, for 
j = l,...,n. 

— For j = l,...,n, each server Sj computes his private information Oj, 
adding the k polynomials of degree I — 1, obtained from the k servers 
performing the initialization phase. More precisely, 

k 

aj = Qj{y) = '^Q]{y)- 

i=l 



A user who needs a conference key, sends a key request to the servers as follows 
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Key Request Phase 

— A user U £ Ch, who wants to compute the key kh, sends to at least k 
servers, say Si,^, . . . , Si ^. , a request {U,h). 

— Each server Si^, invoked by U, checks that the user belongs to Ch, and 
sends to U the value Qi^ (h), i.e., the value of the polynomial Qi. (y) eval- 
uated m y = h. 



Finally, using the k values received from the servers S'ij, . . . , Si^, and applying 
the Lagrange formula for polynomial interpolation, each user U £ Ch recovers 
the secret key P(0, h) = h). More precisely, 



Key Computation Phase 
— U computes, for j = 1, k, the coefficients 



n 



l<s<k,s^j 



Then, he recovers P(0, h) computing the where, for j = 

1, . . . ,k, yij = Qi^ (h), the value received from the server Si^ . 



The security of the above scheme is unconditional. However, in [97] some 
computationally secure constructions were given as well. Actually, the problem 
studied in [97] was a more general problem: how to securely distribute the com- 
putation of a pseudorandom function. A scheme for DKDC was considered as an 
applicative scenario for the distributed computation of a pseudorandom function. 

Maurer, in his survey on future prospectives for Cryptography [92], has 
pointed out that two important directions for the research during the next years 
could be the weakening of the assumptions on which cryptographic protocols are 
built on, and the distribution of trustiness. Key Establishment is an important 
theoretical and practical problem, and distributed solutions seem to be suitable 
in many settings. This is the reason^ for which we have included a paragraph to 
talk about the distribution of a KDC [97]. 

5 Multicast Schemes 

Multicast communication schemes enable delivering data to multiple recipients. 
The motivation for such communication scheme lies in its efficiency: users of the 
same group get the same message simultaneously, with a consequent reduction 
of both sender and network resources. A wide range of applications benefit from 

® Well, a less impartial reason is that we like this problem, and we have even studied 
some extensions [24,25,49] of the model given in [97]. 
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multicast communication. However, several issues must be solved when designing 
a secure multicast scheme. The reader is referred to [43] for a clear and detailed 
overview. 

Among them, one of the most challenging problem is the so called access 
control: only legitimate members of a multicast group must have access to the 
multicast group communication. The standard technique that is used to guar- 
antee such requirement is to maintain a common key that is known to all the 
multicast group members, but is unknown to non-member. 

In this setting, hence, the key establishment problem is how to maintain the 
invariant that all the group members, and only them, have access to a group key 
in a group with dynamic membership. Indeed, from time to time, users can be 
added to and removed from the group. This is the main difference between this 
setting and the previous ones, where groups are static (i.e., broadcast schemes). 

The scenario we consider can be formalized as follows: Let 14 be the universe 
of all possible users, and let GC denote the group controller, responsible for the 
key-management problem. Let M = {ui, . . . C U he the multicast group. 
We assume that GC ^ M. A session key ks is shared initially by M and the 
GC . Moreover, other information and key material can be known by the users 
in M and the GC. The group M can change by means of two operations: Join 
and Remove. More precisely, let U C M. We have: 

— Remove (U). The new group is M \ U. 

— Join(U). The new group is M UU. 

A multicast re-keying protocol specifies an algorithm by means of which the 
GC may update the session key ks, and possible other information and key 
material held by the parties, after each Join and Remove operation. 

The efficiency of such schemes is measured by means of: 

— Communication Complexity. This parameter is the most important one, since 
reducing communication and network resources is the main motivation for 
multicast communication. 

— Croup Controller Storage. Amount of memory needed to manage the key- 
establishment issue. 

— User Storage. Amount of memory the user needs to update the session keys 
for the multicast group. 

To give an idea to the reader, we describe two multicast re-keying protocols: 
A basic scheme with minimal storage requirement, but inefficient from the com- 
munication complexity point of view, and a tree-based scheme, which improves 
the communication complexity paying something in terms of memory storage. 
The first one can be described as follows: 
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Storage Efficient Multicast Scheme 

— Each user u holds the session key ks, and a unique symmetric key ku, 
shared with the GC. These keys are generated by GC in set up phase: for 
each user u, ku = fr(u), where / is a pseudo-random function and r is a 
secret seed stored by GG. 

— When a group of users U is removed from the group, GG chooses a new 
session key kg, and sends it to the user u, by broadcasting the ciphers 

(^s) for all M G M \ t/. 

— When a group of users U joins the group, GG generates a new session key 
kg, and sends it to the new users, by broadcasting the ciphers (kg) for 
all u £ U, and to the old ones by broadcasting the cipher Ekg(kg). 



The second scheme is based on a tree data structure. It enables a more 
efficient implementation of the update after a remove operation, and can be 
described as follows (we consider only the remove operation): 



Tree-Based Multicast Scheme 

— Let n = 2’’ (power of 2) be the number of users. The Group Controller GG 
sets up a binary tree of height logn. Users are associated to the leaves. 
Then GC associates a key to every node of the tree, and sends to each 
user through a secure channel the keys associated to the nodes along the 
path connecting the user to the root. The key associated to the root is the 
session key. 

— When a user u must be removed from the group, GG performs the follow- 

ing operations: for each node v along the path from u to the root, a new 
key is generated. Then, these new keys are encrypted and broadcasted 
to the users. More precisely, denoting by p(u) the parent of u and by s(u) 
the sibling, is encrypted with The process is iterated until the 

root is reached. 



The above scheme, described in [128], was subsequently improved by using 
a pseudo-random generator in [43], and further optimized, in order to improve 
the tradeoff between Center Memory Storage and Communication Complexity 
in [44]. In the latter paper lower bounds on the resources required by multicast 
schemes are given as well. Later on, in [104] it was shown that the trade-off 
constructions given in [44] are optimal. 



6 Tracing Schemes 

Digital valuable content can be distributed to a large set of parties by means 
of several media: cable or satellite networks, CD-ROM and DVD devices and 
more. If the content must be available only to authorized parties, namely the 
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ones that pay to get access, then it can be distributed in encrypted form, and 
the authorized users can receive decryption keys. The pay-per-view or certain 
subscription television broadcast transmissions are remarkable examples of such 
kind of content delivery systems. 

However, the content is protected from forbidden users as long as they do 
not get decryption keys and, unfortunately, several reasons can drive authorized 
users, called traitors, to disclose/communicate their keys to other users, in order 
to enable them to access the data. In the pay-per-view scenario, for example, 
the decoder used to decrypt the transmission is a box storing some keys that are 
used, at the beginning of each transmission, to decrypt preliminary messages, 
sent by the broadcaster, enabling the reconstruction of the session key with 
which the subsequent content, say a movie, will be encrypted. 

Several traitors can try to set up a new decoder by using subsets of their own 
key-sets. The new set does not belong to any user at all. Hence, in some way, 
nobody is guilty. Such phenomenon is called Piracy. Of course, if it is possible 
to prove that the decoder could be set up only because at least one of the users 
released some of his decryption keys, piracy can be prevented: if the risk to be 
accused is high, traitors can be discouraged. 

Clearly, a possible solution is to encrypt the data separately under different 
keys, one for each user. This means that the total length of the ciphertext is at 
least n times the length of the cleartext, where n is the number of authorized 
parties. Such overhead is impossible in any broadcast environment. 

In the recent years, researchers have concentrated their efforts on the design of 
systems preventing traitors from distributing the keys that enable the decryption 
of the encrypted content. The reader is referred to [48], which is the journal 
version of [47], where the concept of tracing traitors was introduced, and of [98], 
where some more efficient construction were given, for a complete introduction. 
This subsection is manly based on the treatment therein provided. 

We would like to point out that the problem is related to the key estab- 
lishment problem: as we show, several solutions are based on a smart distribu- 
tion/allocation of decryption keys among the decoders, enabling to identify at 
least one traitors, once a pirate decoder is built by several traitors and captured. 

The model we consider is the following: We have a data supplier T> and a 
large set of recipients. The data supplier generates a meta-key which contains a 
base set A of random keys, and assigns subsets of these keys to users, m keys 
per user. These m keys form the user personal key. Different personal keys may 
have a nonempty intersection. We denote the personal key for user u by P{u), 
which is a subset of the base set A. 

A message in a traitor tracing scheme is a pair (enabling block, cipher block). 
The cipher block is the symmetric encryption of the actual data, under some 
secret key s. The enabling block allows authorized users to obtain s. Basically, 
the enabling block consists of encrypted values under some or all of the keys 
of the base set A. Every authorized user is able to compute s by decrypting 
the values for which he has keys and then computing the actual key from these 
values. 
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The goal of the system designer is to assign keys to the users such that when 
a pirate decoder is captured it should be possible to detect at least one traitor, 
subject to the condition that the number of traitor is at most k. Such schemes 
are said to be k-resilient. 

To exemplify the above concepts and to give to the reader an idea of what is 
going on, we describe two schemes. The first one, is very simple and is 1-resilient. 
It works as follows: 



1-resilient Traitor Tracing Scheme 
— The data supplier T> generates r = 2 log n keys 

rOlOl 0 li 

1^1 , Cl , C 2 , C 2 , . . . , ^ , OlQg J . 



Each user has a logn bits identity, and the personal key P{i) for user i is 
the set of m = log n keys 



f 61 b 

{ G -1 , 0-2 



'‘'log n 






where bj is j-th bit in i’s identity. 

— Let s be the key used to encrypt the cipher block. The data supplier splits 
s into logn secrets si, . . . , siogn, i.e., s is given by the XOR of the Si, and 
encrypts every Si with both a° and aj . Both encryptions are added to the 
enabling block. 



Notice that every user can decrypt the Sj and compute s. Different users have 
at least one row where they differ in the selected keys. Since any pirate decoder 
must contain at least a key for every i = 1, . . . ,logn, and we assume that at 
most one traitor is allowed, then the pirate decoder must store exactly the keys 
of the traitor, which uniquely identify himself. 

An efficient scheme and with higher resilience can be constructed by using a 
set of £ (unkeyed) hash functions. 



k-resilient Traitor Tracing Scheme 

— Let {hi, . . . , hi\ be a set of hash functions chosen at random. Each function 
hi maps (1, . . . , n} to (1, . . . , 2fc^}. The data supplier V generates a matrix 
of £ X 2k^ random keys, where each row is given by 

= {ui^l , , . . . , Cl 2fc2 } . 

— Each user u receives a personal key 

1 ^2,h,2(u) ^ • • • 7 • 

— Let s be the key used to encrypt the cipher block. The data supplier splits 
s into 2k^ secrets si, . . . , S 2 fc 2 ) i-e., s is given by the XOR of the Si, and 
encrypts every Si with all the keys of row Ai . These encryptions are added 
to the enabling block. 
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Again, every authorized user recovers the secret key s. The tracing property 
can be obtaining by an appropriate choice of the set of hash functions. In such a 
case, if a pirate decoder is captured, the tracing algorithm simply identifies the 
highest number of keys that belong to a certain user. With high probability this 
user is one of the traitors. On the other hand, the probability that an innocent 
is accused is very small. Details can be found in [48]. 

Since the first paper on tracing traitors [47] , many results have been achieved 
in this field, that has received attention from a large number of researchers. Some 
references about tracing (and multicast) schemes for the interested reader, just 
to name a few, are [17,32,34,48,57,59,103,65,98,99,96,71,72,73,78,108,109,116], 
[123,124]. 

7 Quantum Key Distribution 

To close our quick overview about key distribution schemes, we would like to 
spend some words on quantum cryptography and, more precisely, on quantum 
key distribution. The reader is strongly encouraged to read the survey article by 
Gottesman and Lo [68] for a concise, simple and interesting introduction to the 
subject and its possible future prospectives. 

During the last century, scientists have shown that classical physics is a 
powerful theory to describe the macroscopic world but almost useless for the 
microscopic one: here, the determinism of classical physics does not work in order 
to describe the intrinsically random behaviors of the particles. Moreover, in the 
microscopic world, Heisenberg’s uncertainty principle, imposes a fundamental 
limitation to “the accuracy” of the measurements that can be done. 

Quantum Information Processing is a new emerging research field in which 
people are studying the possibility of using quantum systems and quantum laws 
in information processing. Many efforts have been done in the recent years, and 
several difficult problems in the classical information processing scenario have 
been shown to be easily solvable in the quantum setting: if a quantum computer 
can be built, many public key cryptography schemes, for example, would be 
completely useless [113]. 

In Cryptography, apart from the destructive aspects related to possible ap- 
plications of quantum algorithms and systems, some positive results have been 
achieved as well. One of the most remarkable is a method enabling two parties, 
which share a quantum channel and a public classic channel, to establish a com- 
mon secret key for subsequent cryptographic uses. Bennett and Brassard pro- 
posed the first scheme in 1984 [16]. Nowadays, several groups have implemented 
and experimented quantum key distribution schemes, and some companies have 
even started their own businesses on these products (e.g., [68]). 

Staying far from a precise and in-depth presentation, in the following we 
would like just to sketch how quantum key distribution works. 

The key Alice wishes “to send” to Bob is a sequence of bits. The value of 
each bit is encoded on the properties of a photon, its polarization for example. 
The polarization is the oscillation direction of its electric field. Four possible po- 
larizations are considered to represent the bits: vertical, horizontal, or diagonal. 
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Graphically, these polarizations can be represented by the symbols 
Alice and Bob agree that O and represent 0, while and \ represent 1. A 
filter can be used to distinguish between horizontal O and vertical 'I photons; 
another one, between diagonal and \ photons. Hence, each filter enables 
reading a photon which can encode zero or one. 

The main property on which quantum key distribution is based on is that: 
When a photon passes through the correct filter, its polarization does not change; 
while, if it passes through the wrong one, its polarization is modified randomly. 

For example, if a vertical or horizontal photon passes through the filter to 
distinguish between vertical and horizontal photons, its polarization does not 
change. Vice versa, if it passes through the filter to distinguish between diagonal 
photons, it randomly changes its polarization. 

Basically the scheme works as follows: Alice, for each bit of the key, chooses 
a photon with one of the two possible polarizations to represent that bit and 
sends it, through the quantum channel to Boh. At each transmission, Boh chooses 
uniformly at random a filter to read horizontal and vertical photons or diagonal 
photons. At the end, he tells Alice his choices and Alice confirms the right ones. 
The bits read correctly by Bob form the basis for the common secret key. Indeed, 
in order to extract a common secret key from the sequence of bits, they have to 
check the absence of transmission errors and of Eve's eavesdropping. 

Roughly speaking, the security of the scheme is guaranteed since, if Eve tries 
to read the photons transmitted by Alice along the quantum channel, then on 
average half of the times she changes their polarizations! In this case, at the 
end of the quantum key distribution protocol, Alice and Bob can recognize her 
presence. In other words, we can even say that the laws of nature guarantee 
that an eavesdropper will either reveal itself with near certainty or gain no 
information about the key. The probability that an eavesdropper is not detected 
and nevertheless gains a substantial amount of information can be made as small 
as desired"^. 

More precisely, but without going into the details, the protocol can be de- 
scribed as follows (see next page). 

Notice that, even if Eve eavesdrops the communication that takes place over 
the public channel in step 3, she cannot figure out any information about the 
bits read by Bob, since each filter enables to read a photon which can encode 
zero or one. 

At a first look, the scheme can be considered as a key transport scheme, 
since Alice chooses the initial sequence of bits: but, actually, the final key is the 
results of the random choices of Bob as well. Hence, if Alice chooses the string 
uniformly at random, even if the final key is a subset of the initial string, it is a 
random string generated by the random choices of both users. Hence, it can be 
better considered as a key agreement scheme. 

Notice that, even if intuitively simple, the formal proof of security of a quantum 
key distribution scheme is a very difficult task, due to the variety of quantum tricks 
that Eve can apply and that must be taken into account. 
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Quantum Key Distribution Scheme 

1. For each key bit, Alice sends a photon, whose polarization is randomly 
selected. She records these polarizations/orientations. 

2. For each incoming photon. Bob chooses randomly one of the two filters. 
He writes down his choice as well as the value he records. 

3. After all photons have been transmitted. Bob reveals, over a conventional 
and nnsecnre channel - the phone line for example - to Alice the seqnence 
of filters he nsed. 

4. Alice tells Bob in which cases he chose the correct filter. 

5. Alice and Bob now know in which cases their bits shonld be identical (when 
Bob nsed the correct filter). A subset of these bits will form the final key. 

6. Finally, Alice and Bob check the common sequence of bits they hold. In 
this step error correcting codes are used and some bits are discarded. The 
remaining ones constitute the common secret key. 



A drawback of the above scheme is that it assumes that, before running the 
protocol, Alice and Bob authenticate each other in some way (i.e., using some 
common information or some short shared key). The authentication is necessary 
to avoid an impersonation attack, where Eve pretends to be for example Bob. 
Hence, it cannot be used by two users that have never meet before. 

A solution that can be used to solve the authentication problem is the in- 
troduction of a Quantum Cryptographic Center, universally known and trusted, 
that verifies the identity of both users. 

Most experiments carried out up to now use optical fibers to implement 
the quantum channel, shared between Alice and Bob, to transmit the photons. 
Currently, distances up to 70 kilometers have been achieved at many places, for 
example, at Los Alamos (USA), at BT Labs (UK), at the University of Geneva 
(CH), and at the University of Vienna. However, experiments have even been 
conducted in Los Alamos in order to send the photons through the air. In this 
case, the ultimate goal is secure ground-to-satellite communication. 

Finally, quantum key distribution is feasible with current technology, though 
at still rather low data rates (a few hundred bits per second). 

8 Conclusions 

Key Establishment is a vast topic. Perhaps, the uncovered aspects are more than 
the ones we have briefly mentioned in this paper. We have outlined some settings 
and protocols that seem to us to be representative of both problems and possible 
solutions. However, our aim was just to give a gentle introduction to the subject, 
mainly for students who approach the Key Establishment problem for the first 
time. Among important approaches that are totally missing from this version of 
the paper, the unconditionally secure key agreement technique by public discus- 
sion [90], surely would have deserved a whole section. We refer the reader to [90] 
for details and to [91] for papers on this approach and related techniques (e.g., 
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privacy amplification). Even several variations of protocols for key distribution 
for dynamic groups, close in spirit to multicast schemes, supporting centralized 
and decentralized group control, should have been mentioned (e.g., [3,99]). The 
Key Escrow issue [62] and its practical/political implications should have been 
described, too (e.g., see [63] and the references therein quoted). As well as it 
would have been interesting to give a look at the world of the standards (e.g., 
[61]). For all these aspects we refer the reader to the proceedings of the ma- 
jor conferences in Cryptography (Crypto, Eurocrypt, and Asiacrypt) and to the 
journals involved in Cryptography and Theoretical Computer Science. Another 
good source of references, with notes about the history of the schemes, credits to 
the authors, and attributions of the results, can be found in the paragraphs at 
the end of Chapters 12 and 13 of [94]. What can we say more? If the reader has 
found the topic fascinating, and his curiosity is driving him to look for further 
papers, we have reached the goal for which we have been writing these pages: A 
’quick introduction’ is not needed anymore! 
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Abstract. The paper surveys the literature on high-level name-passing process 
calculi, and their extensions with cryptographic primitives. The survey is by no 
means exhaustive, for essentially two reasons. First, in trying to provide a coher- 
ent presentation of different ideas and techniques, one inevitably ends up leaving 
out the approaches that do not fit the intended roadmap. Secondly, the literature 
on the subject has been growing at very high rate over the years. As a conse- 
quence, we decided to concentrate on few papers that introduce the main ideas, 
in the hope that discussing them in some detail will provide sufficient insight for 
further reading. 



Outline of the Paper 

We start in Section 1 with a brief review of a polyadic version of Milner’s 7t-calculus. 
Then we outline the foundational work by Pierce and Sangiorgi on typing systems for 
the jr-calculus. Section 3 covers the Join Calculus, and a discussion on its type systems. 
The remaining sections cover security specific extensions of name-passing calculi. In 
Section 4 we review an extension of the jr-calculus with a new construct for group 
creation, and study the impact of the new primitive in enforcing secrecy. In Section 5 we 
discuss the security n-calculus, a typed version of the asynchronous 7t-calculus, which 
applies type based techniques provide security resource access control and information 
flow security guarantees. Section 6 gives a brief outline of a value passing extension 
of CCS, known as CryptoSPA, with cryptographic primitives. Finally, Section 7 covers 
the spi-calculus, and its typing system(s) for secrecy. Each section includes pointers to 
further important work in the literature relevant to each of the topics. 

1 The Pi Calculus 

The jr-calculus is a way of describing and analyzing systems consisting of agents which 
interact among each other, and whose configuration is continually changing. The n- 
calculus emerged as the canonical model of concurrent computation, in much the same 
way as the X-calculus has established itself as the canonical model of functional com- 
putation. 
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The X-calculus emphasizes the view of computation as the process of taking ar- 
guments and yielding results. In the X-calculus everything is a function, and compu- 
tation is, essentially, the result of function application. Concurrent computation can- 
not be forced into this functional metaphor of computation without severe distortions: 
if anything, functional computation is a special case of concurrent computation, and 
one should reasonably expect to find the functional model represented within a general 
enough model of concurrency. 

In the Jt-calculus, every term denotes a process - a computational activity running in 
parallel with other processes and possibly containing several independent subprocesses. 
Computation arises as a result of process interaction, which in turns is based on com- 
munication on named channels. Naming is, in fact, the pervasive notion of the calculus, 
for various reasons. Naming presupposes independence: one naturally assumes that the 
namer and the named are independent (concurrent) entities. Further, using a name, or 
address, is a prerequisite to the act of communicating, and of locating and modifying 
data. 

Based on these observations, the 7t-calculus seeks ways to treat data-access and 
communication as the same thing: in doing so, it presupposes that naming of channels is 
primitive, while naming of agents is not. As we shall see, departing from this view, and 
extending the concept of naming to agents and locations is what led to the development 
of models of mobility on top of the Jt-calculus. As of now, however, we start looking at 
the Jt-calculus in itself. 

1.1 Syntax and Operational Semantics 

There are in fact several versions of the Jt-calculus. Here, we will concentrate on a very 
basic one, although polyadic: the differences with other versions are mostly orthogonal 
to our concerns. The syntax is given in Table 1. 

We assume an infinite set of names to be used for values and communication chan- 
nels, and an infinite set of variables. We let a,b — p,q range over names and x — z 
range over variables. In addition, we often reserve u and v to denote names or vari- 
ables indistinguishably, whenever the distinction between the two notions may safely 
be disregarded. 

We use a number of notation conventions: x : T stands for xi ,Xk : Tj^, and 

we omit trailing dead processes, writing u{N) for u{N).0 and u{x : T) for u{x : T).0. 
The empty tuple plays the role of synchronization messages. The input prefix and the 
restriction operator are binders: the notations fn{P) and fv{P) indicate, respectively, 
the set of free names and free variables of the process P: these notions are defined as 
usual. We assume identity for a-convertible terms throughout, and we often omit type 
annotations on the two binders whenever irrelevant to the context in question. 

The syntactic form 0 denotes the inert process, which does nothing. u(x : T)P is 
a process that waits to read a value on the channel u: having received a value, say 
M, it behaves as P with every free occurrence of x substituted by M. Dually, u{M).P 
is a process that sends a value M on channel u and then behaves as P. The syntax 
suggests that output, as input, is synchronous, hence blocking: before continuing as P 
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Table 1 Pi calculus (typed) syntax 


Expressions M.N 


::= bv 


basic value 






name 




1 x,...,z 


variable 




1 (Ml , . . . ,Mj.) tuple, k^O 


Processes P,Q,R '■ 


::= 0 


stop 




1 u{N).P 


output 




1 u{x:T).P 


input 




1 {va:T)P 


restriction 




1 P\P 


composition 




1 !P 


replication 



the process the output m(M) must be consumed by another process running in parallel*. 
The restriction form (va : T)P declares a new, fresh name a local to P. P \ Q denotes 
the parallel composition of two subprocesses P and Q. Finally, ! P stands for an inhnite 
number of (parallel) copies of P. 

The operational semantics of the 7t-calculus is defined in terms of two relations: a struc- 
tural equivalence relation on process terms that allows the rearrangement of parallel 
compositions, replications and restrictions so that the participants in a communication 
can be brought into immediate proximity; and a reduction relation that describes the act 
of communication itself. 

Structural Congruence is defined as the least congruence relation that is closed un- 
der the following rules: 

1. P\Q = Q\P,P\{Q\R) = {P\Q)\R,P\0 = P 

2. {va)0 = 0,{va){vb)P={vb){va)P 

3. (va)(P \Q)=P\ {va)Q if a <ffn{P) 

4. \P = \P\P 

The one-step reduction relation P — > Q is the least relation closed under rules in 
Table 2. 

The notation Flxi '.= M\, . . .Xk :=M*.} indicates the simultaneous substitution ofM, 
for each free occurrence of the variable x, in P, for i e [1 . .^] . We assume that substitution 
maps variables to names (or else unstructured values). In other words, the substitution 
{x\ := Ml,. . .Xk := M/^} is only defined when each of the M, is either a name or a basic 
value. In all other cases it is undefined. 

The rule (COMM) is the core of reduction relation, as it defines the effect of syn- 
chronization between two processes on a channel. The rules (STRUCT) complete the 
definition. Notice that reduction is possible under a restriction, but not under either 

* There exists an asynchronous variant of the calculus in which output is non-blocking. We 
will discuss it briefly below, and return on it in later sections, when discussing some of the 
derivative calculi. 
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Table 2 Reduction Relation 


(Communication) 

n(xi : T\,...,Xk : Tt)P \ n{Mi,. . . ,Mt).Q — ^ 


> P{x\ :=Mi,.. 


■ ,Xk ■.= Mk} 1 Q 


(Structural rules) 

P > R' P > P' 


P = P' P' 


Q' Q' = Q 


P\Q > P' 1 2 (va)P > (va)P' 


P 


Q 



of the two input and output prefix forms. It is also instructive to comment on the last 
structural rule for reduction, that connects the relations of reduction and structural con- 
gruence, and specifically on the interplay between the reduction rule (COMM) and the 
structural rule (va)(P | 2 ) = P | {va)Q if a ^fn{P), known as the rule of scope extru- 
sion. If we read the equivalence from left to right there is nothing surprising: since the 
name a does not occur free in P, restricting a on this process is vacuous, and we may 
safely move the restriction to Q without changing (at least intuitively) the meaning of 
the term. When used from right to left, instead, the equivalence enables the communi- 
cation of private names. Consider the term c{x).P \ {va)c{a).Q. In their current form, 
the two parallel processes may not communicate. However, we may use the congruence 
rules to rearrange the term as in (va)(c(x).P | c{a).Q), and then use (COMM) to reduce 
it to P{x := a} \ Q. By effect of the reduction, the name a, which was private to Q, has 
now been communicated to P. Interestingly, the name a may very well be the name of 
a channel, which implies that the reduction has the effect of establishing a new com- 
munication link between the two processes P and Q. Also note that the new link is now 
private to P and Q, and will remain so as long as the two processes do not communicate 
it to third parties. 

This simple example shows that the combination of scope extrusion and communi- 
cation provides a very powerful mechanism for: 

- dynamically changing the topological structure of a system of processes, by creat- 
ing new, fresh, communication links. 

- establishing private, hence secure communication links among the principals of the 
system. 

The ability to represent dynamically changing system topologies is the distinctive fea- 
ture of the 7t-calculus with respect to previous CCS-like calculi for concurrency. The 
possibility of establishing private channels, in turn, makes the Jt-calculus a good foun- 
dation for studying formal models of security protocols. We briefly illustrate this po- 
tential of the 7t-calculus with a simplified version of the protocol known as the Wide 
Mouthed Frog protocol. In this version, we have two principals A and B (the outfamous 
Alice and Bob), willing to exchange secret data M, and a server S, that mediates their 
communication: 

Message 1 : A — > 5 cab on cas 

Message 2: S ^ B cab on cbs 

Message 3 : A B M on cab 
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Initially, each one of A and B shares a channel with S. A sends to 5 a secret channel that 
it wishes to use for communicate with B; S sends this channel to B and then A and B 
may communicate. The Jt-calculus formulation of the protocol is just as direct, but now 
formal: 

A = {v cabWas{cab) 

S = CAs{x)-'^{x) 

B = CB5W.x(y).P{y} 

The notation P{y} is used here simply to emphasize that P will do something with the 
message it receives on the input channel x. The example shows how a secret channel 
may be established for communication, and relies critically on scope extrusion: the 
scoping rules guarantee that the context in which the protocol is executed (i.e. any 
process running in parallel with A, B and S) will not be able to access the secret channel 
CAB, unless of course any of the principals involved in the protocol gives it away. 

This use of private channels for secrecy is suggestive and effective in its simplicity. 
On the other hand, a problem with the Jt-calculus formulation of the protocol arises 
when we consider its implementation in a distributed environment. In that case, it is not 
realistic to rely only on the scope rules to ensure secrecy of names, as one also needs to 
prevent the context from having free access public channels over which private names 
are communicated. In our example, the name cab is secret, but to guarantee that secrecy 
is preserved through the protocol we should also envisage a mechanism for prevent- 
ing the context from reading the name cab while it is communicated over the public 
channels cas and cbs- Unfortunately, the Jt-calculus does not allow one to express the 
cryptographic operations that would typically be used for that purpose. This observa- 
tion motivated the design of the cryptographic extension of the 7t-calculus known as the 
spi calculus [5, 10]. 

We conclude the description of the untyped 7t-calculus with a more complex exam- 
ple that illustrates the reduction semantics and the computational flavor of the calculus. 

Example 1 (Memory Cells). A memory cell can abstractly be thought of as an object 
with private store s holding the cell value, and two methods get and put for reading and 
writing the contents of the cell. In the Jt-calculus, this can be represented as a process 
consisting of three parallel subprocesses like the ones displayed below: 

cell(n) ::= (vs){s{n) 

I !get(y).5(x).(S(x) | y(x)) 

I \put{y,v).s{x).{s{v) |y())) 

cell(n) declares the private name s representing the physical location holding the value 
n, and provides the two handlers for serving the “get” and “put” requests on its con- 
tents. Both the handlers are implemented as replicated processes, to make it possible 
to serve multiple requests. Each request is served by first spawning a fresh copy of the 
corresponding handler by means of the congruence rule \P = P\ IP. 

The intuition is as follows. To read the cell contents, a user sends a “get” request 
by transmitting, over the channel get, the name of a channel where it waits for the 
result of the request. Upon receiving the channel name, the “get” handler inside the 
cell consumes the current cell value, and then reinstates it while also copying it to the 
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channel it received from the user. The protocol for serving a “put” request is similar. 
The cell’s “put” handler waits for a for value v: once v is received, the handler consumes 
the current cell value and writes v on the private channel s. There is a further subtlety, 
however, in that the “put” handler inside the cell also expects an “ack” channel from 
the user, which it uses to signal the completion of the protocol to the user. This may be 
required by a user that, say, increments the cell value and then reads the new value to 
print it: before reading the value, the user may use the ack channel to make sure it prints 
the new cell value, the one resulting from the increment. 

Here, we illustrate the reduction semantics with a simpler (and less realistic) user: 

user( v) : := (v ack) (put {ack, v) .ack{) . (v ret)'gH{ret) ,ret{x) .print {x) ) 

The user hrst writes a new value and then reads the cell contents to print the returned 
value. Now consider the system cel 1(0) | user(v). An initial phase of structural rear- 
rangements brings the system in the form {m s){v ack) {v ret) {...) cell \ {■■■)user- Then 
the system (. . . )eeii | (• • • )user evolves as follows: we omit the application of congru- 
ence rules and, at each reduction step, we only display the subterms that are relevant to 
the reduction in question: 

(s(0) I (put(y,v).^(x).... I ...))ceii I (^(ack, 

(s(0) |s(x).(;s(l) \ack{)) I ...))cdl I {ack{)....)user 
(s(l) I ack() I ...)ceii I {ack{). ret {x)....)u.ser 
(■^(0 I ■ ))ce// I ■ ■ ■ ■ ) user 

(s(l) I (s(x).(s(x) I m{x)) . . .))ceii I ret {x). print (x) 

(s(l) I ret(l)...)ceH I rei{-s). print {x) 

(s{\)\ ...) cell \ print (i) □ 




1.2 Further Reading 

Starting with the original presentation [46], there is by now an extensive literature on 
the Jt-calculus, also in the form of introductory [45], and advanced [54]. Most versions 
of the 7t-calculus, including the one we have outlined here, are first-order in that they 
allow only names to be transmitted over channels. Higher-order versions of the calculus 
have been extensively studied by Sangiorgi [54]. 

2 Typing and Subtyping for the Pi Calculus 

We have so far ignored the typing annotations occurring in the input and restriction 
binders. Now we take them more seriously, and look at the role of types in the calculus. 
There are in fact several reasons why types are useful for process calculi in general, and 
for the Jt-calculus in particular. 
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- The theory of the pure (untyped) Jt-calculus is often insufficient to prove some “ex- 
pected” properties of processes. These properties arise typically from the program- 
mer using names according to some intended principle or logical discipline which, 
however, does not appear anywhere in the terms of the pure Jt-calculus, and there- 
fore cannot be used in proofs. Types bring the intended structure back into light, 
and therefore enhance formal reasoning on process terms: for instance, typed be- 
havioral equivalences are easier to prove, based on the fact that only typed contexts 
need to be considered. 

- types may be employed to ensure that process interaction happens only in type- 
consistent ways, and hence to enable static detection of run-time type errors. To 
exemplify, consider the following two terms: 

a(b,c).P I a{x).Q a{true).P \ a{x).x{y).Q 

Both terms are, at least intuitively, ill-formed. The first reduces to the non-sensical 
process {b,c){x).Q, while the second to the ill-formed term true{y).Q A simple 
arity check would be enough to rule out the first term as ill-formed. This, however, 
is not true of the second term. 

- types can be useful for resource control. In the 7t-calculus, resources are channels, 
and the way that resources can be protected from unintended use is by hiding their 
names by means of the restriction operator. However, this is often too coarse a 
policy to enable effective resources control. In the untyped calculus, resource pro- 
tection is lost when the resource name is transmitted, as no assumption can be made 
on how the recipient of the name will use the resource. Types may come to the res- 
cue, as they can be employed to express and enforce a restrictive use of channels 
by associating them with read and/or write capabilities. 

The study of type systems for process calculi originated from ideas by Milner [42, 43], 
based on the observation that channels used in system of processes naturally obey a 
discipline in the values they carry, that reflects their intended use. For instance, in the 
cell example above, the ret channel is used to communicate integers, while the get 
channel is used to communicate another channel (in fact, the ret channel). In Milner’s 
original formulation, the cell example could be described by the following sorting: 



ret : Si 


Si int 


get : Sg 


Sg ^ (Si) 


ack : Sa 


Sa 0 


put : Sp 


Sp ^ (Sa,0) 



The key idea, in types systems for the Jt-calculus, is that sorts, or types, are assigned 
only to channels, whereas processes are either well typed under a particular set of as- 
sumptions for their bound and free names and variables, or they are not. As we shall see, 
a different approach is possible, based on assigning more informative types to processes 
to describe various forms of process behavior. For the time being, however, we look at 
typing systems where the role of types is essentially that of describing (and prescribing) 
the intended use of channels. 
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The foundational work on type system by Pierce and Sangiorgi [47] was inspired by 
Milner’s initial idea, which they elaborate in two dimensions. First they replace match- 
ing of types “by-name” with a more direct notion of structural matching, a technical 
modification that enables a substantively more concise and elegant presentation. Sec- 
ondly, and more importantly, they employ types in a prescriptive manner to control and 
restrict access to channels. Their technique is based on associating channels with ca- 
pabilities, and on introducing a notion of subtyping to gain additional control over the 
use processes can make of channels. The rest of this section gives an overview of their 
work. The reader is referred to [47] for full details. 

2.1 Types 

The structure of types is described by the following productions. 

Types S^T ::= B types of basic values 

I (ri,...,7i) tuple, 0 
I r(r) input channel 

I w(r) output channel 

I rw{T) input/output channel 

The type of a channel not only describes the type T of the values it carries, but also 
the kind of access the channel offers to its users. In the untyped calculus every channel 
is available for input and output: types help distinguishing, and restricting, the use of 
channels by associating them with access capabilities, providing users with the right to 
read from and/or write to a channel. The distinction between the two forms of access 
is reminiscent of a corresponding distinction that is made for the reference types in 
some functional programming languages. Reference types, that is, the types of mutable 
cells, are modeled with two different types: one for use of cells as “sources” of values, 
from which values can be read, and the other for cells as “sinks” where values can 
be placed. The same intuition applies to channels: channels of type r(r) may only be 
used as sources (i.e. for input), channels of type w(r) as sinks (i.e. for output), whereas 
channels of type rw(T) are input-output channels behaving both as sources and sinks. 

To exemplify, r(int) is a read-only channel carrying values of type int. Since chan- 
nels themselves are values, one can define a typed channel c : rw(r(int)), conferring 
c the capability of sending and receiving values which in turn are read-only channels 
carrying integers. 

2.2 Typing Rules 

The typing rules are given in Table 3. They derive judgments in two forms: T h M : T 
stating that term M has type T , and T h P which simply says the process P is well- 
typed in context, or type environment T. A type environment T contains a set of type 
assumptions for the free names and variables occurring in P: equivalently, one may 
think of r as a finite map from names and variables to types. 

The rules (Base) and (Tuple) should be self-explained. The (Name) rule depends 
on the subtype relation S which we discuss below: if the name (or variable) u is 
assumed to have type S in T, then any occurrence of that name in a process may also be 
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Table 3 Typing Rules for the Pi Calculus 


Typing of Terms 






(Base) 


(Name) 


(Tuple) 






r(n) =5 5 s; r 


ThMr.Ti 


i e [l..k] 


r\-bv:B 


TPu-.T 


rh(Mi,...,M^):(ri,...,7i) 


Typing of Processes 






(Input) 




(Output) 




rh n : r(f) 


T,x:t\-P xnDom(r) 


= 0 T\- u: w(T) 


ri-M:r ri-R 




TPu{x-.t).P 


ri-' 


u{M).P 


(Dead) 


(Par) (Repl) 


(Restr) 






ri-p ri-e ri-p 


T,a\T\-P a 


: ^ Dom(r) 


rho 


ri-p|e ri-!P 


rh (vfl 


: T)P 




Table 4 Core Subtype rules for channel types 


(Sub Input) (Sub Output) 


(Sub IO/I) 


(Sub IO/O) 


5s; T 


T^S 






r(5) s; r(r) 


w{s) s; w(r) 


rw(r) s; r(r) 


rw(r) ^ w)?) 



typed at T provided that T is a super-type of S. The (Input) and (OUTPUT) rules ensure 
that channels are used consistently with their types. In the (Input) rule, the first premise 
requires that the channel from which input is requested provide a read capability and 
that the type of the input variables of the channel be consistent with the channel type. 
In addition, in order for the process m(x : T) .P to be well typed, the continuation P must 
also be well typed under the additional assumptions that the input variables x are of 
the declared types. The rule (Output) has a similar reading. The remaining rules are 
easily explained: (Par) and (Repl) are purely structural, (Dead) states that the inert 
process is well typed, and (Restr) is standard. 

2.3 Subtyping 

The subtype relation is central to the use of the type system to enforce access control 
over channels. The core subtyping rules are dehned in Table 4. The subtype relation 
is the least reflexive and transitive relation that is closed under these rules, and a rule 
that extends the subtype relation homomorphically to tuples: (5i , . . . , 5*:) <(Ti,...,7i) 
if Si ^ 7) for all i G [1..7:]. 

The two rules (SUB Input) and (Sub Output) are readily understood by analogy 
between channel types and reference types. Alternatively, one may think of a channel 
as a function: in its role as a source the channel returns a value, in its role as a sink it 
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receives argument. Now, the two rules reflect the subtype relation for function types: 
covariant in their return type and contra-variant in their input. The rules (SuB lO/I) 
and (Sub IO/O) enable access control: any channel (which in the untyped calculus is 
always available for both input and output) may be associated with a more restrictive 
type (read-only or write-only) to protect it from misuse in certain situations. To illustrate 
the power of subtyping for resource access control, consider the following example 
from [ 47 ]. 

Example 2 (Access to a Printer). Suppose we have a system with a printer P and two 
clients C\ and C2. The printer provides a request channel p carrying values of some type 
T representing data to be printed on behalf of the clients. The system can be represented 
by the Jt-calculus process (v p : rw(T))(T’ | Ci | C2). 

If we take, say, Ci ~'p{j\) ^{ji) , one would expect that the jobs are 

received and processed, in that order, by the printer P. This is not necessarily the case, 
however, as C2 might be not be willing to comply with the rules of the protocol. For 
instance, it competes with P to “steal” the jobs sent by Ci and throws them away: 
C 2 ^lpU-T). 0 . 

One can prevent this kind of misbehavior by constraining the capabilities offered to 
Cl and C2 on the channel p: in the end, the clients should only write on p, whereas the 
printer should only read from it. We may therefore extend the system with an initializa- 
tion phase that enforces this intended behavior on all the participants in the protocol. 
The initialization phase uses two channels, a and b, to communicate the name p to the 
printer and to the two clients, restricting the respective capabilities on p. 

{vp : rw(T)) {a{p).b{p) \ a{x : r{T)).P \ b{y : w(T)).(Ci | C2)) 

Notice that now p is a read-only channel within P and a write-only channel within Ci 
and C2. Assuming appropriate definitions for the processes P, Ci and C2, the system 
type checks, under the assumption a,b : rwjrwjT)), as the subtype relation ensures that 
p : rw{T) may legally be substituted for any x : r(T) ory : w(T). 

2.4 Properties of the Type System 

The type system satisfies the standard properties one expects: subject reduction and type 
safety. In functional languages, subject reduction guarantees that types are preserved 
during the computation. The result for the 7 t-calculus is similar, and ensures that well- 
typedness is preserved by all the non-deterministic reductions of a process. 

Theorem 1 (Subject Reduction). IfT h P and P — > Q, then TP Q. 

The proof of this result requires two auxiliary results. The first is the so-called subject- 
congruence theorem, stating that well-typedness is preserved by the relation of struc- 
tural congruence. 

Theorem 2 (Subject Congruence). IfT \- P and P = Q, then T\- Q. Dually, ifTl- P 
and Q = P, then Th Q. 

The second is the Jt-calculus version of the familiar substitution lemma from type sys- 
tem for the X-calculus. 
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Theorem 3 (Substitution). IfY \- u:T and T \T P, then Y \~ P{x := u\. 

Type safety is a more subtle issue. In functional calculi, proving type safety amounts to 
proving the so-called absence of stuck states, i.e. to show that the evaluation of well- 
typed terms either does not terminate, or returns a value, for a suitable notion of value. 
In the Jt-calculus, there is no notion of value, as computation is entirely based on in- 
teraction between processes, that do not return values. A notion of “stuck state” may 
nevertheless be formulated, and taken as the basic common denominator to different 
notions of type safety. 

Theorem 4 (Basic Type Safety). Aimme T h P, anr/P — > Q. If Q contains a subterm 
c(xi : T]_,...,x„ : T„).Qi \ c{Mi,...,Mt).Q 2 

then all of the following hold true: c is a name or variable (i.e. not a constant of basic 
type), k = n and each of the Mi is a non- structured value. 

The theorem says essentially that process interaction happens in type-consistent ways, 
and never generates undefined substitutions. In addition, one may wish to prove other 
properties for reduction, and consequently richer notions of type safety. For instance, for 
the type system we have presented in the previous section, it can be proved that reduc- 
tion of well-typed processes preserves guarantees that access to channels by processes 
is always consistent with the capabilities conferred to the channels by their types. We 
will discuss type-safety more formally in some of the calculi presented in later sections. 
Presently, we content ourselves with this informal formulation, and refer the interested 
reader to [47] for details on this richer notion of type safety. 

2.5 Further Reading 

The study of type systems for the 7t-calculus is currently very active, and has produced 
a large body of literature. Besides the work by Pierce and Sangiorgi we have reviewed 
in this section, and those we will discuss later on, an interesting pointer is to the work 
of Igarashi and Kobayashi [37] where a generic framework is proposed in which to 
understand several previous systems. 

3 The Join Calculus 

The Join calculus [29,30] is a variant of the asynchronous Jt-calculus [12,36] which 
combines restriction, reception, and replication in one construct, the join receptor. Jt>P. 
For example the definition 

def apply(f,x)>f(x) (1) 

defines a new name apply that receives two arguments and apply the first to the second. 
More precisely it receives a channel name that it bounds to / and a name that it bounds 
to X and sends the latter over the former. This is more formally shown by the following 
reduction; 



def apply(f,x)>f (x) in apply (g,y) 



def apply(f,x)l>f (x) ing(y) 
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Table 5 The Join calculus 



Processes 


PQ 


■.■.= x{V) 

def D ixiP 

P\Q 

0 


Asynchronous message on x 
Definition of D in P 
Parallel Composition 
Empty Process 


Join patterns J ,J' 


:;= x(y) 
J\J' 


Asynchronous reception on x 
Joining messages 


Definition 


D,E 


:;= Jt>P 
DAE 


Elementary clause 
Simultaneous definition 


Values 


V,v 


::= X 


Names 



Table 6 Received, defined and free variables 

dv(7>P) =dv(J) dv(DhE)=dv(D)\Jdv{E) 

dv{T) =0 dv{J\j') = dv(J)\Jdv{J') 

dv{x{v)) ={x] 

rv{x{v)) ={m|mGv} rv(J\J') = rv(7) l±l rv(7') 

fv{J>P) =dv{J)yj{fv(P)~rv{J)) MDAE) =^(0)U^(£) 

Me) =0 

fv{x{v)) ={x}u{i<ev} 

/v(def D ±ilP) = (fv(P) Llfv(D)) ~ dv{D) 

fv{P\Q) =M-P)uMe) 

MO) =0 



The syntax of the calculus is given in Table 5, where we assume names x,y,... to be 
drafted from an infinite set 9i[. 

The only binding mechanism is the join pattern; the formal parameters which are re- 
ceived are bound in the guarded process. The received variables, rv{J), are the names to 
which the messages sent are bound; the defined variables in a join pattern or a definition, 
dv{J) and dv{D), are the names which are bound by the definition. The/ree variables, 
fv{P) and/v(ZJ), are all the names which are not bound. Received, defined and free 
variables can be easily defined as expected by structural induction (see Table 6). 

It is important to notice that there is no linearity condition on the channel names in 
a composed join pattern; however, elementary join patterns are required to be linear, i.e. 
received variables are supposed to be pairwise distinct. A name is said to he fresh in a 
process when it is not free in it. In the following discussions a consistent use of names 
is assumed. 

The operational semantics of the Join calculus is given using the chemical paradigm 
(structural rules ^ plus reduction in terms of the so called Reflexive Chemical Ah- 
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Table 7 The RCHAM 

(str-join) 1=^12 ^ \= P,Q 

(str-def) 1= def D in P ^ Do* H 

(red) . . . A7>PA . . . 1= 7(jrv ^ . A7>P A . . . |= Pci^ 

Side conditions: in (str-def) Ojy instantiates the names in dv{D) to distinct fresh names; 
in (red) <3rv substitutes the received variables rv(J) with the values actually received 



Struct Machine (RCHAM) [29, 14] (see Table 7). States of the RCHAM are expression 
of the form D |= P, where P are the running processes and D are the (chemical) reac- 
tions. 

Note that join patterns can be the parallel composition of different receptions, and 
that reduction takes place only when all the receptions synchronize. So for example the 
following receptor 

def ready(printer) | print(f ile) >printer(f ile) in P 

reduces only when in P two (unbound) outputs on ready and print occur in parallel 
as for 

def ready(printer) | print(f ile) >printer(f ile) in ready(gutenberg) 

I print (myths.ps) | Q 



which reduces to 

def ready(printer) | print(f ile) l>printer(f ile) in gutenberg(myths.ps) \Q 

The same behavior could be obtained by composing this definition with the defini- 
tion (1): 



def apply(f,x)>f(x) A ready(p) | print(/) > apply(/7,/) 



3.1 Typing 

Let us again consider the definition of the expression (1). If we use (P) to denote the 
type of channels transporting values of type P, then apply has type ((P), P) for every 
type P. In words apply is a channel that transports pairs formed by a channel and a 
value that can be sent over that channel. 

Note the polymorphic nature of the type of apply. This can be formally expressed 
by generalizing the type of apply into the following type schema: Va.((a),a). We 
saw before that join calculus provides synchronization between join patterns. Thus for 
instance a variant of apply that receives f and x from different sources can be defined 
as follows 



def fun(f) I arg(x)l>f(x) 







104 



Michele Bugliesi et al. 



Table 8 Typing rules for the Join Calculus 
(Inst) 

X : Va.r e A 

A\-x:T{a:=T'} 



(Par) 

A\-P A\-Q 
AhP\Q 



(Message) (Dee) 

A\-x: {Ti,...,T„) Ahvi-.Ti (i=l..n) A,B\~D::B A,Gen{B,A) \~ P 

A\~ x{v\,. . . ,Vn) Ah def D in P 



(Join) 












\i=l..n 



(And) 

AhDi::Bi Ah 02- -62 

(Si| = S2I 

A hDi AD2 ::Sl,S 2 lDom(B2) iDom(Bi) 



According to what we said before fun and arg can be respectively typed as ((oc)) 
and (a) . Observe, however, that fun and arg are correlated in their types as they must 
share the same type variable a. This forbids to generalize their types separately: if 
we assigned them the types Va.((a)) and Va.(a), then the correlation of the types of 
the two names defined in the same join pattern would be lost. In [14] this problem is 
handled by the definition of the generalization rule that forbids the generalization of 
type variables that appear free in the type of more than one co-defined name. 

The type system of [14] is defined as follows: 

Types T ::= a \ {T,...,T) Type Envs B ::= 0 \ B,x'.T 

Schemas O .:= T \ Va.O Schema Envs A ::= 0 \ A,x :o 

The type system includes three kinds of typing judgments: 

A\~ u:T the name u has type T in A 

Ah P the process P is well typed in A 

Ah D :: B the definition D is well-typed in A with types B for its defined types 

which are deduced by the typing rules in Table 8. 

In that table, Gen{B,A) is the generalization of the type environment B of the form 
(x, : " with respect to the schema environment A: let fv{A) be the set 

U{ 5 :cj)g 2 iV'aTs(o) with vars{o) is the set of variables occurring in o; let B\x be the 
environment B without the binding for x; then Gen{B,A) is (x,- : y(fv{Ti) —fv{A, {B \ 
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With the exception of (Def) all the rules are straightforward, insofar as they are al- 
most directly inspired by the typing rules for polymorphic (poliadic) X-calculus. (Inst) 
assigns to a variable x any type that is an instance of the type schema associated to the x 
in A; (Par) is straightforward; (MESSAGE) checks that the types of the actual parame- 
ters match the type of the channel the parameters are sent over; (JOIN) checks that the 
guarded process P is typable under the assumption that the types of the formal param- 
eters of the join patterns match those of the corresponding channels, and associates to 
the definition the type environment of its declared names; (And) associates to the com- 
position of two definitions the composition of the type environments of their declared 
names, provided that the two definitions do not declare a common name. Finally (Dee) 
is the most technical rule: first it checks the typing of the definition D under the type 
environment produced by D. This allows recursive definitions; second it checks the well 
typing of P under the generalization of the types of the new definition with respect to A. 
In particular the generalization takes into account the problem of sharing we hinted in 
the beginning of the section. Therefore for every constraint G B the generalization 
does not generalize all the free type variables of T but, instead, only those free vari- 
ables that are not shared with a previous definition or with a parameter of the actual join 
pattern. 

3.2 Properties of the Type System 

Soundness. The soundness of the type system is obtained by proving subject reduction 
and basic type safety (corresponding to Theorem 4 for Ji-calculus.) 

Theorem 5 (Subject Reduction). If A h P and P — > Q, then Ah Q. 

Definition 1. A process of the form def D A J> in Q | x{v) is wrong if J contains a 
message x{y) where y and v have different arities. 

Theorem 6 (Basic Type Safety). If A h P then P is not wrong. 

The composition of the previous two theorems ensures that well typed processes never 
go wrong. 

Type Inference. Finally, there exists an algorithm that for every typable process returns 
the most general schema environment under which the process can be typed, while it 
fails if it is applied to a process that is not typable. 

3.3 Further Reading 

In [7] Abadi, Fournet, and Gonthier define the sjoin-calculus, that extends the join cal- 
culus with constructs for encryption and decryption and with names that can be used 
as keys, nonces, or other tags. This extension is very reminiscent of the the way the 
spi-calculus (see section 7) extends the Jt-calculus: as a matter of fact, the name sjoin 
was chosen in analogy with spi. The authors also show how to translate sjoin into a 
lower-level language that includes cryptographic primitives mapping communication 
on secure channels into encrypted communication on public channels. A correctness 
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theorem for the translation ensures that one can reason about programs in sjoin with- 
out mentioning the cryptographic protocols used to implement them in the lower-level 
implementation. 

In [17] Conchon and Pottier advocate that the the type system of [14], that forbids 
the generalization of any type variable that is shared between two jointly defined names 
(such as fun and arg), is overly restrictive when one wants to use types in a descriptive - 
rather then prescriptive - way. To that end they switch from the system of [14] in which 
the generalization is performed on syntactic criteria, to a richer type system based on 
constraints and where the generalization is more “semantic” (polymorphic types are 
interpreted as particular sets of monomorphic types) and fairly natural. However, rather 
surprisingly, the new generalization criterion hinders type inference as it results very 
difficult (perhaps impossible) to infer a most general type. As a result they propose a 
more restrictive (and syntactic) criterion that, while it allows type inference, it is closer 
to the original system of [14]. 

In his PhD. thesis [15] Conchon extends the type system of JOIN(X) with informa- 
tion-flow annotations that ensure a noninterference property based on bisimilarity 
equivalences. The new systems thus obtained can detect, for instance, information flow 
caused by contentions on distributed resources, which are not detected, in a satisfactory 
way, when using testing equivalences. The achievement is however limited by the fact 
that equivalences, rather than congruences, are considered. 

A more in depth study of bisimulation for the join calculus can be found in [11]. 

In all these variants, join remains a concurrent calculus. In [31] the authors define 
the Distributed Join Calculus that extends join calculus essential with locations, mi- 
gration, and failure. The new calculus allows one to express mobile agents roaming 
on the net, that is, that autonomously move from some node to a different node where 
they resume their current execution. Distributed join is also the core of the distributed 
language jocaml[16]. 

4 The Pi Calculus with Groups 

In Section 1 (and we will see it also in Section 7) we discussed the importance of scope 
extrusion for secrecy. However, inattentive use of scope extrusion may cause secrets to 
be leaked. Consider a process P that wants to create a private name x. In the pi-calculus 
this can be done by letting P evolve into a configuration {vx)P\ where the channel x is 
intended to remain private to P'. This privacy policy is going to be violated if the system 
then evolves into a situation such as the following, where p is a. public channel known 
to an hostile process (opponent) running in parallel with P. 

p{y).0\(yx){p{x)\P’) (2) 

In this situation, the name x is about to be sent by P over the public channel p and 
received by the opponent. In order for this communication to happen, the rules of the 
pi-calculus, described in Section 1, require first an enlargement of the scope of x. After 
extrusion we have: 

(vx){p{y).0 I p{x) I P') 

Now, X can be communicated over p, and the opponent acquires the secret. 



( 3 ) 
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The private name x has been leaked to the opponent by a combination of two mech- 
anisms: the output instruction p(x) and the extrusion of (vx). It seems that we need 
to restrict either communication or extrusion. Since names are dynamic data in the pi- 
calculus, it is not easy to say that a situation such as p(x) (sending x on a channel known 
to the opponent) should not arise, because p may be dynamically obtained from some 
other channel, and may not occur at all in the code of P. 

The other possibility is to prevent extrusion, which is a necessary step when leaking 
names outside their initial scope. However, extrusion is a fundamental mechanism in the 
pi-calculus: blocking it completely would also block innocent communications over p. 

A natural question is whether one could somehow declare x to be private, and have 
this assertion statically checked so that the privacy policy of x cannot be violated. To this 
end, in [13] authors add an operation of group creation to the typed pi-calculus, where 
a group is a type for channels. Group creation is a natural extension of the sort-based 
type systems developed for the pi-calculus (see Section 1). However, group creation 
has an interesting and subtle connection with secrecy. Creation of fresh groups has the 
effect of statically preventing certain communications, and can block the accidental or 
malicious leakage of secrets. 

Intuitively, no channel belonging to a fresh group can be received by processes 
outside the initial scope of the group, even if those processes are untyped. Crucially, 
groups are not values, and cannot be communicated; otherwise, this secrecy property 
would fail. 

Starting from the typed pi-calculus, we can classify channels into different groups 
(usually called sorts). We could have a group G for our private channels and write 
{vx:G)P to declare x to be of sort G. However, if groups are global (as usually happens 
with sorts in standard pi-calculus type systems), they do not offer any protection be- 
cause an opponent could very well mention G in an input instruction, and leakage can 
thus be made to typecheck: 

p{y.G).0\{vx:G){p{x)\P') (4) 

In order to guarantee secrecy, the group G itself should be secret, so that no opponent 
can input names of group G, and that no part of the process P can output G information 
on public channels. 

In general we want the ability to create fresh groups on demand, and then to create 
fresh elements of those groups. To this end, we extend the pi-calculus with an operator, 
(vG)P, to dynamically create a new group G in a scope P. Although group creation is 
dynamic, the group information can be tracked statically to ensure that names of differ- 
ent groups are not confused. Moreover, dynamic group creation can be very useful: we 
can dynamically spawn subsystems that have their own pool of shared resources that 
cannot interfere with other subsystems. 

Consider the following process, where G[ ] is the type of a channel of group G: 

(vp:U) {p{y.T).0 \ (vG)(vx:G[ ])p(x)) (5) 

Here an attempt is made again to send the channel x over the public channel p. For- 
tunately, this process cannot be typed: the type T would have to mention G, in order 
to receive a channel of group G, but this is impossible because G is not known in the 
global scope where p has been declared. 
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The construct (vG) has extrusion properties similar to (vx), which are needed to 
permit legal communications over channels unrelated to G channels, but these extrusion 
rules prevent G from being confused with any groups mentioned in T. 

Untyped Opponents. Let us now consider the case where the opponent process is un- 
typed or, equivalently, not well-typed. This is intended to cover the situation where an 
opponent can execute any instruction without being restricted by static checks such as 
type checking or bytecode verification. For example, the opponent could be running 
on a separate, untrusted, machine. Let consider again the previous process, where we 
remove typing information from the code of the opponent, since an opponent does not 
necessarily respect the typing rules. The opponent now attempts to read any message 
transmitted over the public channel, no matter what its type is. 

{vp\U){p{y).0 I (vG)(vx:G[])p(x)) (6) 

The untyped opponent will not acquire secret information by cheating on the type of 
the public channel. The fact that the process P is well typed is sufficient to ensure 
secrecy, even in the presence of untyped opponents. This is because, in order for P to 
leak information over a public channel p, the output operation p(x) must be well typed. 
The name x can be communicated only on channels whose type mentions G. So the 
output p(x) cannot be well typed, because then the type U of p would have to mention 
the group G, but U is not in the scope of G. 

We have thus established, informally, that a process creating a fresh group G can 
never communicate channels of group G to an opponent outside the initial scope of 
G, either because a (well typed) opponent cannot name G to receive the message, or, 
in any case, because a well typed process cannot use public channels to communicate 
G information to an (untyped) opponent. Thus, channels of group G are forever secret 
outside the initial scope of (vG). So, secrecy is reduced in a certain sense to scoping 
and typing restrictions. As we have seen, the scope of channels can be extruded too far, 
perhaps inadvertently, and cause leakage, while the scope of groups offers protection 
against accidental or malicious leakage, even though it can be extruded as well. 

4.1 Syntax and Operational Semantics 

We start showing the syntax of an asynchronous, polyadic, typed pi-calculus with 
groups and group creation. Types specify, for each channel, its group and the type of 
the values that can be exchanged on that channel. 

Types T ::= G[Ti , . . . , 7),] polyadic channel in group G 

As usual, in a restriction {vx:T)P the name x is bound in P, and in an input x(y : 
T).P, the names yi,...,y^ are bound in P. In a group creation (vG)P, the group G 
is bound with scope P. Let fri{P) be the set of free names in a process P, and let 
fg{P),fg{T) be the sets of groups free in a process P and a type T, respectively. 

The operational semantics of the calculus is similar to that of the typed pi-calculus 
described in Section 1 . Group creation is handled by the following new rules of struc- 
tural equivalence and reduction: 




A Survey of Name-Passing Calculi and Crypto-Primitives 109 



Table 9 Typed pi-calculus with Groups 


Expressions M,N ::= a,...,p 


name 


x,...,z 


variable 


Processes P.Q.R '■'■= 0 


stop 


1 u{M).F 


polyadic output 


u{x:t).P 


polyadic input 


{vG)P 


group creation 


1 {va:T)P 


restriction 


1 P\P 


composition 


1 !P 


replication 



(Struct GRes GRes) (v Gi ) (v G 2 )P = (v G 2 ) (v Gi )R 

(Struct GRes Res) {vG){vx\T)P = {vx:T){vG)P if Gifg{T) 

(Struct GRes Par) (vG)(P | g) = P | (vG)P if G(^fg{P) 

(Red GRes) (yG)P — > (vG)Q if P — > Q 

Note that rule (Struct Gres Res) is crucial: it implements a sort of “barrier” between 
processes knowing a group name and processes that do not know it. 

4.2 The Type System 

Environments declare names and groups in scope during type-checking; we define en- 
vironments, T, by T ::= 0 I r,G I r,x:r. We define four typing judgments: first, h r 
means that T is well formed; second T h T means that T is well formed in T; third, 
T\~ x:T means that x : T is in T, and that T is well formed; and, fourth, T h P means 
that P is well formed in the environment T. Typing rules are collected in Table 10. 

Properties of the Type System. A consequence of our typing discipline is the ability to 
preserve secrets. In particular, the subject reduction property, together with the proper 
application of extrusion rules, has the effect of preventing certain communications that 
would leak secrets. For example, consider the process (4) at the beginning of this sec- 
tion: 

{vp:U){p{y.T).0\{vG){vx:G[])p{x)) 

In order to communicate the name x (the secret) on the public channel p, we would 
need to reduce the initial process to the following configuration: 

(vp:G)(vG)(vx:G[])(p(y:r).G|p(x)) 

If subject reduction holds then this reduced term has to be well-typed, which is true 
only if p : H[T] for some H, and T = G[ ]. However, in order to get to the point of 
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Table 10 Typing rules for the pi-calculus with groups 



(ENV empty) (ENVn) (ENV GROUP) 

ri-r uidom{T) hr G<^dom{T) 

\-r,u:T hr,G 

(Type Chan) (Project) (GRes) 

Gedom{T) rh7’i...rhr„ hr',x:TX' r,GhP 

rhG[Ti,...,r„] r',Y:r,r"hx:r rh(vG)p 



(Input) 

r h M : G[Ti , , Tfi] r,xi : , . . . P 


(Res) 

T,n:TPP 


(Dead) 

hr 


ri-M(xi : Ti,...,Xn : T„)P 


Th (VM : T)P 


ThO 


(Output) 

ThM:G[ri,...,r„] TPNi:Ti...TPN„-.T„ 


(Par) 

rhp TPQ 


(Repl) 

ThP 


TPM{Nu...,N„) 


TPP\Q 


Th!P 



bringing the input operation of the opponent next to the output operation, we must have 
extruded the (v G) and the {vx:G[ ]) binders outward. The rule (Struct Gres Res), used to 
extrude (vG) past p{y:T).0, requires that G ^fg{T). This contradicts the requirement 
thatr = G[]. 

Proposition 1 (Subject Congruence). IfT h P and P=Q, then TP Q. 

Proposition 2 (Subject Reduction). IfT h P and P — > Q, then TP Q. 

The formalization of secrecy is inspired by Abadi’s definition [2]: a name is kept secret 
from an opponent if after no series of interactions is the name transmitted to the oppo- 
nent. We model the external opponent simply by the hnite set of names S known to it. 
A complete formalization of this notion of security can be found in [13], here we only 
overview the main theorem and its proof. The following theorem expresses the idea 
that in the process (vG)(vx:G[Ti, . . . , T„])P, the name x of the new group G is known 
only within P (the scope of G) and hence is kept secret from any opponent able to com- 
municate with the process (whether or not the opponent respects our type system). Let 
emse{P) be the process obtained from P by erasing type annotations and new-group 
creations. Let 5 be a set of names, we say that a process P preserves the secrecy of x 
from S if P will never communicate the name x to an opponent initially knowing the 
names in S. 

Theorem 7 (Secrecy). Suppose that T P (yG)(yx:T)P where G Gfg{T). Let S be the 
names occurring in dom{T). Then the erasure (yx)erase(P) of(yG)(yx:T)P preserves 
the secrecy of the restricted name xfrom S. 
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The proof of the secrecy theorem (see [13]) is based on an auxiliary type system 
that partitions channels into untrusted channels , with type Un and trusted ones, with 
type C/t[ri , . . . , 7],], where each 7] is either a trusted or untrusted type. The type system 
insists that names are bound to variables with the same trust level (that is, the same 
type), and that no trusted name is ever transmitted on an untrusted channel. Hence an 
opponent knowing only untrusted channel names will never receive any trusted name. 

In particular, for any group G, we can translate group-based types into the auxiliary 
type system as follows: any type that does not contain G free becomes Un, while a type 
77[7) , . . . , r„] that contains G free is mapped onto Ch[{Ti) g,. . . , ( T„ ) g]. This transla- 
tion is proved to preserve typability. This implies that an opponent knowing only names 
whose type does not contain G free, will never be able to learn any name whose type 
contains G free. This is the key step in proving the secrecy theorem. 

Finally, note that the typing rules constrain only the principals that want to protect 
their secrets from attackers. On the contrary, there are no restrictions on the code the 
attackers may run; we have in fact that any untrusted opponent may be type-checked as 
follows. 

Lemma 1. For all P, iffn{P) = {xi , . . . ,x„} then xi :Un,...,Xn'.Un\- P. 

This is a distinctive property of the approach we discussed in this section, since it makes 
the type system suitable for reasoning about processes containing both trusted and un- 
trusted subprocesses. 

5 The Security Pi Calculus 

The security Jt-calculus is an extension of the n calculus defined by Hennessy and Riely 
[33] to study properties of resource access and information flow control in systems with 
multilevel security. Before discussing the security Jt-calculus, we first give a very brief 
overview of the underlying models of multilevel security. 

5.1 Multilevel Security 

Traditional models of security are centered around notions of subjects and objects, with 
the former performing accesses on the latter by read and write (as well as append, 
execute, ..., etc. in certain models) operations. Multilevel security presupposes a lattice 
of security levels, and every subject and object in the system is assigned a level in 
this lattice. Based on these levels, access to objects by subjects are classified as read-up 
(resp. read-down) when a subject attempts to read an object of higher (resp. lower) level, 
and similarly for write accesses. Relying on this classification, security policies are 
defined to control access to objects by subjects and, more generally flow of information 
among the subjects and objects of the system. 

An important class of security policies are the so-called Mandatory Access Control 
(MAC) policies, among which notable examples are defense security and business se- 
curity. Defense security aims at protecting confidentiality of data by preventing flow of 
information from high, privileged, subjects to low, users. This is accomplished by for- 
bidding read-up’s and write-down’s to objects: low-level users may not read confiden- 
tial information held in high-level documents, and high-level principals may not write 
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Table 11 Syntax: The Security pi calculus 

Expressions M,N ::= ... as in Table 1 



Processes P,Q,R ::= 0 


stop 


1 u{N) 


asynchronous output 


1 u{x:f).P 


input 


1 {va:T)P 


restriction 


1 P\P 


composition 


1 


replication 


1 [P]c 


process at clearance a 



information on low-level objects that may be available to low-level users. Business se- 
curity, on the other hand, centers around integrity, and a weaker form of confidentiality, 
and provides guarantees that low-level users have no direct access to secret high-level 
data, either in read or write mode. 

Enforcing confidentiality and integrity often requires further constraints to prevent 
flow of sensitive information to non-authorized subjects arising from subtle and hidden 
ways of transmitting information, viz. covert channels: these may be established in 
several ways, via system- wide side effects on shared system resources. The prototypical 
example of covert channel is realized by means of the “file system full” exception. 
Suppose that a process fills the file system, and then deletes a 1-bit file: further attempts 
by that process to write that file will inform it of any two (high-level) users exchanging 
1 -bit information via the file system. 

5.2 Syntax of the Security Pi-Calculus 

The security Ji-calculus is based on the asynchronous variant of the Jt calculus. The 
choice of asynchronous output is motivated by security reasons, as synchronous output 
is more prone to covert channels and implicit flow of information. We will return to this 
point later: as of now, we proceed with our discussion on the asynchronous Jt-calculus 
and its extension with security. 

There are different ways that the asynchronous 7t-calculus can be defined: for in- 
stance, one may define it by relying on the same syntax given in Table 1 , and by extend- 
ing the relation of structural congruence with the new rule: a{M).P = a{M).0 \ P. This 
rule effectively leads to an asynchronous version of the output operation, as it allows 
the process P to reduce, hence evolve, independently of the presence of an input process 
consuming the value M sent over the channel a. 

Here, however, we will adhere to the more standard practice and use a different 
syntax in which output on a channel is defined as a process rather than a prefix. The 
syntax of the security Ji-calculus results from the syntax of the Ji-calculus from this 
change and from introducing a new construct for processes. 

As anticipated, the output construct is now a process rather than a prefix: this is all that 
is needed to account for asynchrony. The new syntactic form [Pjo denotes a process 
P running at security level o; it has no real computational meaning, as the notion of 
reduction is not affected by this construct. It is, however, relevant to the definition of 
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the instrumented semantics that we will introduce to capture a notion of run-time error 
resulting from security violations. 

In the instrumented semantics, we view processes as playing the role of subjects, 
while channels are naturally associated with the role of objects that processes access 
in read and write mode. Security levels are associated with channels by enriching the 
structure of channel types: besides associating input-output capabilities with each name, 
channel types also include a security level. 

The structure of the types is defined in terms of a lattice SL of security levels. We let 
Greek letters like 5,0.p, . . . range over the elements of this lattice: the top and bottom 
elements are denoted by T and _L as usual. To enhance flexibility, the structure of types 
allows different security levels to be associated with the input and output capabilities 
for a channel. Thus, if S and T are types, channels types may be structured as shown in 
the following to examples: 

- { Wx (5) , ry (r) } : the type of channels where low processes can write (values of type 
S), and only high processes can read (values of type T). This typing is appropriate 
for a mailbox, where everybody should be allowed to write but only the owner 
should be granted permission to read. 

- {wt( 5), rx(S)}: the type of channels where anybody can read, but only high pro- 
cesses can write. This typing is typical of an information channel, where privileged 
users write information for everyone to read. 

We give a formal definition of types in Section 5.5. Before that, we define the opera- 
tional semantics and formalize a notion of security error 



5.3 Reduction Semantics 

The operational semantics is given, as for the Jt-calculus, in terms of the two relations of 
structural congruence and reduction. Structural congruence is defined by the following 
extension of the corresponding relation for the 7t-calculus: 



Table 12 Structural congruence 

n-Calculus Rules for Structural Equivalence. 

\. P\Q = Q\P,P\{Q\R) = {P\Q)\R,P\(i = P 

2. {va)0 = 0, {va){vb)P= {vb){va)P 

3. {va){P \Q)=P \ {va)Q if a <ffn{P) 

4. IP = IPIP 

Security n-Calculus Specific Rules. 

5. [P I e]a ^ [P]a I [Q]o 

6. [{vx:T)P]^ = {vx:T)[P]^ 

1 ■ [[-Plpla = [-Pjanp 
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In addition, as for the Jt-calculus, the dehnition includes the structural rules that make = 
a congruence. The rules 5 and 6 are not surprising. In rule 7, the notation p PI o indicates 
the greatest lower bound between p and a in the lattice of security levels. Based on this 
relation, the reduction relation is dehned as follows: 



Table 13 Reduction Relation 


(Comm) 

(COMMp) 


a{M) 1 a(x : f)P — > P{x\ := Mi,... ,Xjc := M^.} 
[a{M)]a\[a{x:T).P]p — > [P{xi := Mi,. . . ,Xk := M,,}]p 




P — > P' P — 


^ pi p ^ pi 


(Struct) 


P\Q^ P'\Q [T]a — 

P = P' P' - 


[P']a (Vfl : T)P — > {va : T)P' 

Q Q> = Q 




P - 


Q 



The rule (COMM) is the asynchronous variant of the reduction rule for communications 
from the Jt-calculus. The rule (COMMp) is the corresponding rule for processes with a 
clearance: as we noted, the presence of the security level does not affect the computa- 
tional behavior of processes. On the other hand, it is the basis for the formalization of 
run-time security error. 



5.4 Security as Resource Access Control 

Security violations occur against a given security policy, which is formalized in the 
calculus in terms of (/) a mapping from resources (i.e. names and values) to their types, 
and of {a) an auxiliary reduction relation that underlines the import of the policy by 
defining what it means to violate it. As a first example, given a mapping T, one may 
enforce a policy for resource access control by stating that processes at clearance o 
should only have access to channels and values at security level up to (and including) 
O. This can be formalized by the following additional reductions: 



Table 14 Security Violation 



(E-INPUT) [n(x\f).P]n — > err if rc;(f ) e T(n) => o ^ p 



(E-OUTPUT) 


[n{M)]p err 


(E-OUTVAL) 


[m(M)]p err 




n r 


(e-struct) 


P — > err 






R 1 e -U err 



if W(j(7’) e r(n) =» O ^ p 
if M : B(j and O p 

err P ^ err 

[P](j err (va\A)P-^eu 
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The rule (E-iNPUT) states that a process with clearance p can not read from channels 
that are not qualified by the security policy T, or that have security level higher than p. 
The rule (e- OUTPUT) defines dual conditions for errors resulting from an attempt to 
write on restricted channels. The rule (e-OUTVAL) states that a process with clearance 
p may only communicate a value along a channel if that value is not restricted from 
O-level processes. In all three cases, the security violation is signalled by a reduction 
to the distinguished process term err. The remaining rules are purely structural, and 
propagate errors from a process to its enclosing terms. 

We give two examples that Illustrate the import of different security policies on the 
reduction semantics. 

Example 3 (Resource Access Violations). Consider the process 

P= [c(a)]x I [c(x).T(l)]±. 

consisting of a high-level and a low-level processes communicating over a channel c, 
for which we define the security policy T as follows: T(a) = A, T(c) = C. First, assume 
that the two types A and C are defined as follows: 

A = {wx(int),rx(int)} and C = {wx(A), rx(A)} 

By one reduction step, P reduces to the process [a(l)]x, and the latter reduces to err as 
a result of a low-level process attempting to write on the high-level channel a. While 
the violation shows up after one reduction step, it originates earlier, from the fact that 
the value a of “high” level type A is written to channel c : C with “low” write capability. 
Upgrading the write capability on C does not. 

Consider then defining the types A and C differently, giving C high-level write ca- 
pability: 

A = {wx(int),rx(int)} and C= {wx(A),rx(A)} 

Again, the reduction of P to [a(l)]x causes a security violation (i.e. a reduction to err) 
because the low-level process [a(l)]x does not have the right to write on the channel 
a for which the write capability is “high”. Here the problem originates from the high 
value a being written to a channel c : C with “low” read capability. 

The examples give a flavor of the inherent complexity of statically enforcing a security 
policy. Most of this complexity is determined by “indirect” flow of information arising 
as a result of processes dynamically acquiring new capabilities. In our case, the intuitive 
and direct measures represented by the “no read-up, no write-up” slogan are not enough 
to guarantee the desired effects of the access control policy. Further constraints must be 
imposed to prevent unauthorized access: the purpose of the type system we discuss next 
is to provide provably sufficient conditions for absence of security violations during 
reduction. 

5.5 Types and Subtypes 

The formal definition of types is somewhat complex, as it includes well-formedness 
rules ensuring that types are formed according to certain consistency conditions that 
provide the desired security guarantees. We start defining sets of pre-capabilities and 
pre-types. 
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Pre-Capabilities 

cap ::= r<j(r) O-level input channel carrying values of type T 

I W(j(r) O-level output channel carrying values of type T 

P re -Types 

S,T : B(j base type of level o 

I {capi, ... ,ca/7^} channel type, ^ ^ 0 
I tuple type, A: ^ 0 

Next, we introduce the consistency conditions that single out the legal set of types. 
The consistency conditions are formulated in terms of ordering relations over pre- 
capabilities and pre-types induced by the ordering on security levels. Both the subtype 
relations are denoted by the symbol ^ , and are the least reflexive and transitive relations 
that are closed under the rules below. 



Table 15 Sub typing 

(Sub Output) (Sub Input) 

Ts;5 oxp Sscr oxp 

Wa(5)«:wp(r) ro(5)s;rp(r) 

(Sub Base) (Sub Type) (Sub Tuple) 

o ^ P (Vy e J)(5i e l)capi ^ cap'j Si ^Ti ! e [l..fc] 

{capi}i^iii{cap'j}jej {Si, ■ ■ ■ ,Sk) ^ (Ti, ■ ■ ■ Jk) 



The two relations are mutually recursive, following the mutually inductive definition 
of pre-types and pre-capabilities. The rules (SuB Input) and (Sub Output) are the 
direct generalization of the corresponding rules in Table 4. The remaining rules define 
the subtype relation over basic, channel and tuple pre-types, respectively. Note that the 
resulting subtype relation on pre-types generalizes the subtype relation by Pierce and 
Sangiorgi we discussed in Section 2. 

Now the set of types (as opposed to the previously introduced pre-types) is defined 
by a kinding system that identifies the legal pre-types at each security level. Formally, 
for each level p, the set Typep is the least set closed under the following rules: 



Table 16 Type Formation 






(T-BASE) 


(T-TUPLE) 


(T-RD) 


a ^ p 


Ti e Typep 


T G Typea Ct ^ p 


B(j e Typep 


{Ti,...Jk)^ Typep 


{ra(r)} G Typep 


(T-WR) 

T e Type^ o ^ p 


(T-WRRD) 

S e Type^ T e Type^ 


0,o'Xp Sf^T 


{w<j(r)} e Typep 


{wcr(5),ra'(r)} G Typep 
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There are a number of interesting consequences of the definition that are worth pointing 
out. First note that if O ^ p then RType^^ C RTypcp. This follows by a straightforward 
inductive reasoning on the generation of types at each kind. The second thing to note is 
the compatibility requirements between the read and write capabilities in the assump- 
tions of the rule (t-WRRD). The condition 0,0' ^ p contributes to the property that 
RTypcc; C RTypcp for every O ^ p. The assumption S ^ T, in turn, is a standard con- 
dition required for soundness of channel communication: any value that is written on a 
channel can be read from that channel at a super-type of the value’s true type. Interest- 
ingly, however, the combination of this condition with the security constraints imposed 
by the (T-WRRD) and the other rules has also security implications. 

To see them, we first state the following proposition, which can be proved by induc- 
tion on the derivation of 5 C Type^- 

Proposition 3. IfS € Type<^, and S^T, then there exists p with T G Typep and O ^ p. 

We illustrate the security implication we just mentioned with and example. Consider 
the type T = {wt( 5'), rx(5')}, and a channel a :T. A priory, high-level processes (with 
clearance T) may write to this channel, while low-level processes, (with clearance _L) 
may read from it. But then, it would seem, the channel may be used to leak sensitive 
information, for low-level processes may read values written by high-level processes. 
In particular, a high-level process could write on a the name of a high-level channel: 
low processes could then read that name and gain access to the channel, thus resulting 
in a violation of the security policy induced by our instrumented semantics. 

A closer look at the type formation and subtyping rules shows that this cannot hap- 
pen. To see why, assume that the type T is legal, that is T G Typep for some security 
level p. The hypotheses of the (T-WRRD) rule imply that T x) p, hence p = T; further- 
more, the two types S and S' must be such that S G Type^ with O ^ T, and S' G Type^ji 
with o' r) -L and S ^ S'. From these conditions, by the above proposition, it follows that 
O r) o', and this, together with o' r) -L, implies that o = _L. In other words, the forma- 
tion rules require that S G Type±, which implies that only low values (and channels) 
can be written to any channel of type T. But then, even though high-level processes can 
write on channels of type T, they may only write low-level values: thus only low-level 
information may flow from high to low processes. 

In their present form, the type formation rules limit types to contain at most one 
read and one write capabilities: this clearly results in a loss of expressive power, but 
there is no fundamental difficulty in extending the formalization to handle types in the 
general form. 

5.6 Typing Rules 

The typing rules, given in Table 17, derive judgments in two forms: the usual form 
r\- M :T stating that term M has type T, and the form F P which says that process 
P is well-typed in the context F, at security level a (the rules for parallel composition 
and replication are standard, and omitted). 
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Table 17 Typing Rules for the Security 7t-calculus 


(Name) (restr) 

r(u)^A T,a:T\-'^P T eType^ a 


(Proc) 

^Dom(r) TP^^PP 


Thu-.A FI-'" (Vfl: r)P 


Fh'^[P]p 


(Input) 

T^x:T\-'^P ri-M:r(j(f) FnDom(r) = 0 


(Output) 

ri-u:w(j(r) ri-M:r 


u{x-.t).P 


r u{M) 



The first three rules should be self-explanatory, but note, in the (Restr) rule, that only 
names at level (at most) a may legally be introduced by well-typed processes running 
at clearance a. In the (Input) rule, the premises guarantee that the channel is used 
consistently with its associated capabilities and security level. For the latter, note that 
u offers a read capability at the same level a at which the input process is currently 
running. From the definition of subtyping, and the rule (Name), it follows that F(m) = T 
for a type T that includes a read capability at level p o; this guarantees that a process 
with clearance o may read from any channel with security level up-to o, as desired. 
The same reasoning applies to the (OUPUT) rule. The constraints imposed by the typing 
rules, together with the constraints imposed on the type formation rules provide static 
guarantees of type safety, that is absence of run-time violations for every well-typed 
process. Type safety is formalized as follows. 

Theorem 8 (Type Safety for Resource Access). F F° P implies [P]a-r^ err 

In other words, if a process P is well-typed at clearance o, then neither P nor any of its 
derivatives will attempt a non-authorized access to a value or a channel restricted from 
level a. That P is free of error reductions follows directly from the above theorem: 
that it is also true of the derivatives of P follows by the fact that well-typedness at any 
clearance level is preserved by reduction as stated by the following theorem. 

Theorem 9 (Subject Reduction). ^F F° P and P — > Q, then Q 

To exemplify the impact of the type system in enforcing our policy of resource access 
control, consider the process 

P ^ {v a \ A){v c \ C) [c(a)]x | [c(x).T(l)]x- 

In Example 3 we discussed two definitions for the types A and C: in both cases, the 
process is ill-typed independently of the clearance (T or _L) at which we may type it. In 
fact, ill-typedness is a consequence of the type C being ill-formed, as A G Typej may 
not be read from channels of type C with _L -level read capability. 

We give more examples illustrating the role of types for security in the next section, 
where we discuss a variation of the type system that provides guarantees for the “no 
read-up, no write-down” constraints distinctive of the defense policy of MAC security. 
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5.7 MAC Policies: Defense Security 

Few changes are required to type formation rules to account for this case of MAC secu- 
rity; the typing rules, instead, are unchanged. To understand and motivate the changes, 
we start with a simple examples. 

Example 4 (Defense Security). Consider again the process P from example 3: 

[c(0]t I [c(x).T(l)]x. 

where F(c) = C and F(/) = L, and the two types C and L are defined as follows. 

C= {wx(T),rx(T)} and L = {wx(int), rx(int)}. 

With the current type system, P is well typed in F, as the channel c has “low” type and 
offers read and write capabilities: hence both processes may legally access c. The same 
is true of the type assignment I : L, and c : C with L as above, and C defined now as 
C = {wx(T), rx(T)}. Indeed, it is not difficult to see that there is no violation of our 
resource access policy, as there is no P error reduction for P or any of its derivatives. 



In both the above cases, the term P would be rejected as “unsafe” under defense se- 
curity, as in both cases a high-level process ends-up writing a low-level object, hence 
establishing a high-to-low flow of information. It is, however, easy to identify the source 
of the problems, and change the type system to enforce the new constraints. 

In the first case, the problem is a direct violation of the “no write-down” constraint, 
which results from the current definition of subtyping. The judgment F c(Z) is deriv- 
able by an application of the (Output) from the premise F F c : wx(L), as F(c) ^ 
wx(T). In particular, the subtype relation holds because so does wx(T) wx(L): to 
prevent the write-down, it is thus enough to rule out the latter relation. 

In the second case, instead, the problem results from the channel c offering a write 
capability to processes running at high clearance, and read capability to low processes. 
As a result, a low process can “read up” information written by high-level processes on 
the same channel. To prevent such situations, it is enough to rehne the type formation 
rules by requiring that a read capability on a channel type not be lower than the write 
capability (if any). 

The new set of types may thus be defined as follows: 



Definition 2 (Types for defense security). For any security level p, let Typep be the 
least set of types that is closed under the subtype and kind rules of Section 5.5, where 

T < S 

- rule (Sub Output) is replaced by: — ttx— ttxt 

'^<j\S) ^ W(j(T) 



- rule (t-WRRD) is replaced by: 



S G Typco T G Type^^i O d o' ^ p 
{w^{S),r^fT)} G Typep 



S:^T 



Given the new definition of types, and the typing rules of Table 17, it is possible to show 
that well-typed processes do not cause any defense security violation. Of course, this 
requires a new definition of error reductions, to reflect the desired notion of violation 
under defense security. 
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5.8 Information Flow Security 

Having outlined a solution to defense security, we conclude our discussion on the secu- 
rity 7i-calculus with a few observations on information-flow security. 

As we already mentioned, information flow security aims at protecting confiden- 
tiality and integrity of information by preventing ‘implicit’ flow of information via 
covert channels. Examples of covert channels may naturally formalized in the security 
7t-calculus. 

As a first example, consider the system: 

[/i(x).if X = 0 then hl{0) elseW(l)]x | [hl{z).Q\i_ 

where one has hi : HL and h : H, and the two types in question are dehned as follows: 

//L= {wx(int),rx(int)}, // = {wx(int), rx(int)}. 

We have already noticed the presence of information flow in a similar process in Ex- 
ample 4, resulting from a low process reading on a channel that is written by a high 
process. Here the case of information flow is more interesting, however, as the low pro- 
cess gains additional information on the value x transmitted over the high-channel h. 
Indeed, the example is not problematic, as the dehnition of types for defense security 
rules out this system as insecure. Consider however, the new system: 

[/i(x) if X = 0 then [7(0)] x else [7(l)]x]x I 

where now h : H, I : L and the two types are dehned as follows: 

= {wx(int),rx(int)}, L = {wx(int), rx(int)} 

This system is well-typed, even with the type system of Section 5.7, as the high-level 
process downgrades itself prior to writing on the low-level channel /. Still, the system 
exhibits the same high-to-low how of information as before. 

As a hnal example, it is instructive to look at the impact of synchronous communi- 
cation over information How. Assuming synchronous communication the following has 
the same problems as the previous one. Consider 

[h{)-Qi \ hQ-Qilx I [ifx = 0 then Zi() else / 2 ()]x 

Assuming L — {wx(),rx()}, and li,l 2 '■ L, the system is well-typed, and yet there is an 
implicit how of information arising purely from synchronization: information on the 
value of X may be assumed by both the continuations Q\ and Q 2 of the low process. 

5.9 Further Reading 

The work on information-how security for the Jt-calculus is well developed in [34] 
and subsequent work by Hennessy^. A related approach is discussed by Honda and 
Vasconcelos in [35]. 

^ (see http : //www . cogs . susx . ac . uk/users/matthewh/research . html). 
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Information flow analysis based on non-interference originated with the seminal 
idea of Goguen and Meseguer [32], In process calculi, the first formalizations of non- 
interference were proposed in [51, 24, 52], based on suitable trace-based notions of be- 
havioral process equivalence for CCS-like calculi. 

Information flow analyses based on typing techniques were first discussed in the pi- 
oneering work D. and P. Dennings [19], in which a type system detecting direct and in- 
direct flows among program variables in imperative languages was devised. This initial 
idea was refined and formalized some fwenty years later in work on fype systems pro- 
viding guarantees of non-interference in multi-threaded programming languages both 
in nondeterministic [56,55] and probabilistic settings [53]. 

Type systems for secure information flow and non-interference in process have also 
been applied to enforce secrecy of cryptographic protocols. The most notable applica- 
tions of typing techniques for analysis of security protocols have been developed for 
Abadi and Gordon’s spi calculus [5, 10], that we discuss in the next section. 

6 The CryptoSPA Calculus 

In this section we report from [27] the Cryptographic Security Process Algebra (Cryp- 
toSPA for short). It is basically a variant of value-passing CCS [41], where the processes 
are provided with some primitives for manipulating messages. In particular, processes 
can perform message encryption and decryption, and also construct complex messages 
by composing together simpler ones. 

6.1 Syntax of the Calculus 

CryptoSPA syntax is based on the following elements: 

- A set / = {a,b, . . .} of input channels, a set C> = {d,b, . . .} of output ones; 

- A set M of basic messages and a set K of encryption keys with a function - .K^ 

K such that = k. The set of all messages is defined as fhe leasf set such 

that MUK € !M and Vm G !M, \/k G K we have that (m, m') and {m}k also belong 
to 51T; 

- A set C of public channels; these channels represent the insecure network where 
the enemy can intercept and fake messages; 

- A family U of sets of messages and a function Msg{c) : lUO — > U which maps 
every channel c into the set of possible messages that can be sent and received along 
such a channel. Msg is such that Msg{c) = Msg{c). 

- A set Act = {c{m) \ c G l,m G Msg{c)} U {c(m) | c G 0,m G Msg{c)} U {x} of 
actions (t is the internal, invisible action), ranged over by a; we also have a function 
chan{a) which returns c if a is either c{m) or c{m), and the special channel void 
when a = t; we assume that void is never used within a restriction operator (see 
below). 

- A set Const of constants, ranged over by A. 

The syntax of CryptoSPA agents is defined as follows: 

£ ::= 0 I c{x).E \ c{e).E \ x.E \ E + E \ E\\E \ E\L \ E[f] \ 

\ A{mi,...,m„) I [e = e']E-,E | [{ei . . .Cr) \~ruie x]E-,E 
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where x is a variable, are messages, e,ei,...,er are messages (possibly 

containing variables) and L is a set of input channels. Both the operators c{x).E and 
[(ei . . .Cr) \~ruie x]E\E' bind the variable x in E. It is also necessary to define constants 
as follows: A(xi , . . . ,x«) = E where £ is a CryptoSPA agent which may contain no free 
variables except xi,...,x„, which must be distinct. 

Besides the standard value-passing CCS operators, we have an additional one that 
has been introduced in order to model message handling and cryptography. Informally, 
the [{mi . . . mr) \~ruie x]E\\E 2 process tries to deduce an information z from the tuple of 
messages (mi . . . m^) through one application of rule \~ruie', if it succeeds then it behaves 
like E\ \z/x\, otherwise it behaves like £ 2 ; for example, given a rule 't'dec for decryption, 
process [({m}<;,k^t) \-decx]Ei\E 2 decrypts message {m}^: through key and behaves 
like Ei[m/x] while [{{m}k,k') '^dec x]E\\E 2 (with k' ^ tries to decrypt the same 
message with the wrong inverse key k' and (since it is not permitted by \-dec) it behaves 
like E 2 - 

We call T, the set of all the CryptoSPA terms, and we define sort{E) to be the set of 
all the channels syntactically occurring in the term E. 

6.2 The Operational Semantics of CryptoSPA 

In order to model message handling and cryptography, in Table 1 8 we define an infer- 
ence system which formalizes the way messages may be manipulated by processes. 



Table 18 Inference System for message manipulation 

Let m,m' ^ M and k, k^ ' £ K. 



m & m’ 
(m,m’) 



pair) 



(m,m’) 

m 






m’ 



snd^ 



m & k 

{m}k 



(b enc) 



{m}k & k ' 
m 



(bfifec) 



It is indeed quite similar to those used by many authors (see, e.g., [38, 39]). In par- 
ticular it can combine two messages obtaining a pair (rule bpa,>); it can extract one mes- 
sage from a pair (rules h fst and \-snd)’^ it can encrypt a message m with a key k obtaining 
{m}k and finally decrypt a message of the form {m}k only if it has the corresponding 
(inverse) key k^* (rules and \~dec)- We denote with ®((|)) the set of messages that 
can be deduced by applying the inference rules on the messages in (|). Note that we are 
assuming encryption as completely reliable. Indeed we do not allow any kind of cryp- 
tographic attack, e.g., the guessing of secret keys. This permits to observe the attacks 
that can be carried out even if cryptography is completely reliable. 

The formal behavior of a CryptoSPA term is described by means of the labelled 
transition system < ‘E^Act,{-^}aeA >, where -^aeA is the least relation between 
CryptoSPA terms induced by axioms and inference rules of Table 19. 
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Table 19 Operational semantics 



[input) ’n^Ms_g[c) 



c[x).E E[m/x] 



-/ \ Z7 IT 

c{m).E — > E 



X^E' £i 



X.E^E 






E\\Ei^E'\\Ei 



E\\E^^E'\\E[ 



E^E' ,, ,, £^£' chanja) ^ L 

^ E + Ei~^E' 



E-^E' 



E[f]^-^E'[f] 



E\L E'\L 



(— ) E2 E'2 , m = m' E\ E[ 

[m = m']Ei\E2 E '2 [m = m']Ei\E2 E'^ 

, j^_,^E[mi/x\,...,mn/xn] -^E' A[xi,...,Xn) =E 
A[mi,...,mn) — >E 

Jmi...mr)\-rule>n Ei[m/x]-^E'^ , . fim : {mi . . .mr) \~rule m £ 2 £2 

' [{mi...mr)\-ruleX]EEE2-^ E'l [{mi...mr)\-ruleX]Ei-,E2-E^ E'2 



Plus symmetric rules for + 1 , || j and [| 2 are omitted 



Example. We present a very simple example of a protocol where A sends a message 
mA to B encrypted with a key ]<.ab shared between A and B^. We define it as P = 
A[mA,kAB)\\B[kAB) where A[m,k) = c{{m)k)‘^ and B[k) = c(y).[(y,A:) Edec z]^t{z). 
Moreover, k^^ = kAB (symmetric encryption) and Msg[c) = {{m}k | wr C M,k C /T}. 
We want to analyze the execution of P with no intrusions, we thus consider P \ {c}, 
since the restriction guarantees that c can be used only inside P. We obtain a system 
which can only execute action 'oui{mA) that represents the correct transmission of 
from A to B. In particular, the only possible execution is the one where A sends to B 
message {mA}kAB then out{mA) is executed: 

^\W^(0 II EdecZ]7JlIt{z))\{c}'^^^^ (0||0)\{c} 

The calculus of CryptoSPA has been successfully applied to the automatic specifi- 
cation and the verification of security protocols, see [20, 26, 27, 21, 25, 23, 48-50, 22]. 



^ For the sake of readability, we omit the termination 0 at the end of every agent specifications, 
e.g., we write a in place of a.O. We also write [m = m']E in place of [m = m']£;0 and analo- 
gously for [{mi...mr) \~rule x]E',Q. 

Note that this process could be also written asA[m,k) = [{m,k) \~e„c x\c{x). 
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7 The Spi-Calculus 

The spi calculus is an extension of the pi calculus with cryptographic primitives that 
has been introduced by Abadi and Gordon in [5, 10], The spi calculus is designed 
for describing and analyzing security protocols, such as those for authentication and 
for electronic commerce. These protocols rely on cryptography and on communica- 
tion channels with properties like authenticity and privacy. Accordingly, cryptographic 
operations and communication through channels, are the main ingredients of the spi 
calculus. 

As we discussed in Section 1, some abstract security protocol can be expressed in 
the pi calculus, thanks to its simple but powerful primitives for channels. Moreover, 
the scoping rules of the pi calculus guarantee that the environment of a protocol (the 
attacker) cannot access a channel that is not explicitly given; scoping is thus the basis 
of security. However, as we pointed out, when considering a distributed environment, it 
is not realistic to rely only on the scope rules, we also have to prevent the context from 
having free access to public channels over which private names are communicated. In 
a distributed environment such a channel protection relies on the use of cryptography. 
With shared-key cryptography, secrecy can be achieved by communication on public 
channels under secret keys. 

The spi calculus is thus an extension of the pi calculus that consider cryptographic 
issues in more detail. Its features can be summarized as follows: 

- it permits an explicit representation of the use of cryptography in protocols, while 
it does not seem easy to represent encryption and decryption within the pi calculus; 

- it relies on the powerful scoping constructs of the pi calculus; 

- within the spi calculus, the environment can be defined as an arbitrary spi calculus 
process instead of giving an explicit model; 

- security properties, both integrity and secrecy, can be represented as equivalences 
and analyzed by means of static techniques. 

7.1 Syntax and Semantics 

The syntax of the spi calculus extends a particular version of the pi calculus with con- 
structs for encrypting and decrypting messages (see Table 20) . In standard pi calculus 
names are the only terms. For convenience, the syntax of spi calculus also contains 
constructs for paring and numbers, namely {M,N),0 and succ{M). Furthermore, the 
term {M\ ,Mk}N represents the ciphertext obtained by encrypting Mi,... ,Mt under 
the key N using a shared-key cryptosystem such as DES. The key is an arbitrary term; 
typically, names are used as keys because in the spi calculus names are unguessable 
capabilities. 

Intuitively, the new constructs of spi calculus have the following meanings: a match 
[M is N]P behaves as P provided that terms M and N are the same, otherwise it is stuck. 
A pair splitting process let {x,y) = M in P, where x and y are bound in P, behaves as 
P{x := N,y := L} if the term M is the pair (N,L). An integer case process case M of 0 : 
P succ{x) : Q, where x is bound in Q, behaves as P if term M is 0, as Q{x := A} if M 
is succ{N). Finally the process case L of {xi, . . . ,Xk]N in P, where xi, . ..,Xk are bound 
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Table 20 Spi calculus syntax 


Expressions L,M,N ::= 


bv 


basic value 


1 


a,...,p 


name 


1 


x,...,z 


variable 


1 


(M,N) 


pair 


1 


0 


zero 


1 


succ(M) 


successor 


1 




shared-key encryption (k > 0) 


Processes P.Q.R ::= 


0 


stop 


1 


u{Ni,...,Nk).P 


output (k > 0) 


1 


u{xi,...,Xl,).P 


input (k > 0) 


1 


(va)P 


restriction 


1 


P 1 P 


composition 


1 


\P 


replication 


1 


[M is N]P 


match 


1 


let (x,y) = M in P 


pair splitting 


1 


case M of 0 : P succ(x) : Q 


integer case 


1 


case L of {xi ,.. . ,xi^}xi in P 


shared-key decryption (k > 0) 



in P, attempts to decrypt the term L with the key if L is a ciphertext of the form 
{Ml , . . . ^Mk]N, then the process behaves as P{x\ := Mi,. . . ,Xk := Mk}, and otherwise 
the process is stuck. 

Implicit in the definition of the spi calculus syntax are some standard but significant 
assumptions about cryptography: (/) the only way to decrypt an encrypted packet is to 
know the corresponding key; (ii) an encrypted packet does not reveal the key that was 
used to encrypt it; (Hi) there is sufficient redundancy in messages so that the decryption 
algorithm can detect whether a ciphertext was encrypted with the expected key. 



Operational Semantics. The operational semantics of spi calculus can be defined in 
terms of a structural congruence and a reduction relation, extending the corresponding 
relations defined in Section 1 for the Jt calculus. In particular, structural congruence is 
defined as fhe leasf congruence relation closed under rules 1.-4. of Section 1.1 plus the 
following rules: 



(Red Repl) 
(Red Match) 
(Red Let) 

(Red Zero) 
(Red Succ) 
(Red Decrypt) 



\P =P\\P 

[M is M]P = P 

let (x,y) = (M,N) inP = P{x := M,y:= N} 

case 0 of 0 : P succ{x) . Q = P 

case succ{M) of 0 : P succ{x) : Q = Q{x := M} 

case {M}f^ of {x\n in P =P{x\=M} 



The reduction relation is then the least relation closed under the following rules: In or- 
der to develop proof techniques for the spi calculus, we define an auxiliary, equivalenf, 
operational semantics based on a commitment relation, in the style of Milner [44]. The 
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Table 21 Reduction Relation 



(Comm) n{xi,...,Xk).P \ 



(Struct) 





— > P{xi :=Mi,...,Xk ■■=Mk\ I Q 

p, p = p' p' — > O' Q' = Q 

{vn)P' P >2 



definition of commitment depends on two new syntactic forms: abstractions and con- 
cretions. An abstraction is a term of the form (x)P, where ,Xk are bound variables, 
and P is a process. A concretion is a term of the form (v m) {M)P where Mi,... ,M^ are 
expressions, P is a process, and the names mi,... mi are bound in Mi , . . . ,M^ and P. 
Finally an agent is an abstraction, a process or a concretion. We use the metavariables 
A and B to stand for arbitrary agents, C for concretions, and F for abstractions. 
Restriction and parallel composition for abstractions and concretions are defined as fol- 
lows: 



{vm){x)P = {x){vm)P 
Q I (t)P = (x)(2 I P) with {x} n/v(Q) = 0 
{v m)(y n){M)P = (y m,n){M)P with wr ^ {n} 

Q I (yfi)(M)P = {vh){M)Q \ P with {n} Ffn{Q) = 0 

If F is the abstraction {xi,...,Xk)P and C is the concretion (v«i, . . . ,n/)(Mi,. . . ,Mk)Q, 
and if {ni, . . . ,ni} n/n(P) = 0, we define the process F@C and C@F as follows: 



F@C = {yni)...{vni){P{xi :=Mi,...,xt := M^} \ Q) 
C@F^{vni)...{vni){Q\P{xi := Mi,. . . ,Xk := Mk}) 



Let the reduction relation > be the least relation on closed processes that satisfies the 
following axioms: 



(Red Repl) 
(Red Match) 
(Red Let) 

(Red Zero) 
(Red Succ) 
(Red Decrypt) 



!P 

[M is M]P 

let {x,y) = (M,N) in P 
case 0 of 0: P succ{x) : Q 
case succ{M) of 0 : P succ{x) 
case {M}n of {x}at in P 



> P I !P 

> P 

> P{x:=M,y:=N} 

> P 

:Q>Q{x-.= M} 

> P{x := M} 



A barb (3 is a name m (representing input) or a co-name m (representing output). An 
action is a barb or a distinguished silent action T. The commitment relation is written 
P A where P is a closed process, a is an action and A is a closed agent. The 
commitment relation is defined by rules in Table 22. 

The following proposition asserts that the two operational semantics for spi cal- 
culus, the one based on reduction relation, and the other one based on commitment 
relation, are equivalent. 

Proposition 4. P — > Q if and only ifP = Q. 
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Table 22 Commitment Relation 






(Comm Out) 


(Comm IN) 


(Comm Inter 1) 

pAUf q^c 


m(M).P (v)(M)P 


m[x).P {x)P 


p| qAA,f@c 


(Comm Inter 2) 


(Comm Par 1) 


(Comm Par 2) 


P^C 




Q^A 


P\ Q^C@F 


p\Q^a\q 


p\qA^p\a 


(Comm Res) (Comm Red) 


P-^A a 


P>Q 


QAAa 


{ym)P 


{vm)A p 


AAa 



Testing Equivalence. Testing equivalence is useful to compare process behaviors and 
to define security properties such as secrecy and authentication. 

Let a test be a pair (Q, (3) consisting of a closed process Q and a barb (3. We say that 
P passes a test ((2, (3) if and only if 

{P\Q)^Ql--- ^Qn-^A 

for some n > 0, some processes Qi,...,Qn and some agent A. We obtain a testing 
preorder C and a testing equivalence ~ on closed processes: 

P\_P' = for any test {Q, (3), if P passes {Q, (3) then P' passes {Q, (3) 

P ~ P' = P C P' and P' C P 

The idea of testing equivalence comes from the work of De Nicola and Hennessy [18]. 
A test neatly formalizes the idea of a generic experiment or observation that another 
process (such as an attacker) might perform on a process. Thus testing equivalence 
concisely captures the concept of equivalence in an arbitrary environment. Furthermore, 
testing equivalence is a congruence; more precisely, if P ~ Q then P and Q may be used 
interchangeably in any context, that is C\P] — C[Q] for any closed context C. 

7.2 Secrecy by Typing in the Spi Calculus 

In this section we describe rules that Abadi proposed in [1] for achieving secrecy prop- 
erties in security protocols expressed in the spi calculus. The rules have the form of 
typing rules; they guarantee that, if a protocol typechecks, then it does not leak its se- 
cret inputs. Before starting the formalization of the type system, we recall from [1] 
some informal security principle we adopt in the following. 

First, our rules should constrain only the principals that want to protect their secrets 
form the attacker. That is since in some situations we may assume that the attacker 
cannot guess certain keys, but we cannot expect to restrict the code that the attacker 



runs. 
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We then consider only three classes of data; Public data, which can be communicated 
to anyone, Secret data, which should not be leaked. Any data, that is, arbitrary data. We 
refer to Secret, Public and Any as levels or types. We then assume that 

The result of encrypting data with a public key has the same classification as 
the data, while the result of encrypting data with a secret key may be made 
public. 

Only public data can be sent on public channels, while all kinds of data may be 
sent on secret channels. 

Because a piece of data of level Any could be of level Secret, it should not be leaked. 
On the other hand, a piece of data of level Any could be of level Public, so it cannot be 
used as a secret. Thus 

if all we know about a piece of data is that it has level Any, then we should 
protect it as if it had level Secret, but we can exploit it only if it had level 
Public. 

In our rules we adopt a standard format for all messages on secret channels or under 
secret keys. Each message on a secret channel has three components, the first of which 
has level Secret, the second Any, and the third Public, plus a confounder component. 
This schema implements the following principle: 

Upon receipt of a message, it should be easy to decide which part of the con- 
tents are sensitive information, if any. This decision is least error-prone when 
it does not depend on implicit context. 

For the use of confounders, note that if each encrypted message of a protocol includes a 
freshly generated confounder in a standard position, then the protocol will not generate 
the same ciphertext more than once. 

Types and Typing Rules. The syntax of types corresponds to the three classes of data: 

Types S,T ::= Public \ Secret \ Any 

There is also a subtyping relation between types: T <:S holds if T equals 5 or if 5 is Any. 
The typing system contains three forms of judgments: h E stating that the environment 
E is well formed, E\- M :T stating that the term M is of level T in E, and E \- P stating 
that the process P typechecks in E. 

An environment is a list of distinct names and variables with associated levels. 
In addition, each name n has an associated term of the form {Mi,...,Mi^,n}N. This 
association means that the name n may be used as a confounder only in the term 
{Ml , . . . We write x : T for variable x with level T, and n : T :: {Mi,..., 

M^,m}at. The rules for environments are in Table 23. 

The hypotheses of rule (Env Name) imply that if a variable x occurs in |Mi, . . . , 
Mk,n}N, then it is declared in E. This means that we cannot instantiate the variable x 
in several ways, obtaining several different terms with the same confounder, and thus 
defeating the purpose of confounders. 
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Table 23 Environment Eormation 


(ENV0) (ENVVAR) 


(Env Name) 


\- E x^dom{E) 


E n(^dom{E) E ^ Mi '. P i = l..k E\~N:S 


E0 PE,x:T 


\-E,n-.T :: (Mi , . . . ,Mj,,n}w 




Table 24 Typing Rules for Terms 



(Subsum) (Variable) (Name) 

E\-M:T T<:S E x:TeE \- E n : T :: {Mi, ... ,Mk,n}N in E 



E\-M:S E\-x:T 



E'rn-.T 



(ZERO) (Succ) (Pair) 

E^M-.T EhM:T E\~N:T 

E\-0: Public E \- succ{M) : T E\- (M,N) :T 

(Encrypt Secret ) 

E h M\ : Secret E h M 2 : Any E h M 3 : Public 
E\~N '.Secret n : T :: .M7. Mi. h}m in E 

E h {Mi,M 2 ,M 3 ,n}jv : Public 



(Encrypt Public ) with T =Public ifk = 0 
E^Mi'.T i=\..k E\-N: Public 

E h {Ml,. .. ,Mi.,n}jv : T 



Rules (Zero) and (SucC) say that 0 is of level Public and that adding one preserves 
the level of a piece of data. Therefore, these classihcations mean that the typing system 
works even against an attacker that may generate any number, starting from 0 and suc- 
cessively incrementing it. The rule (ENCRYPT Public ) says that k pieces of data of the 
same level T can be encrypted under a key of level Public, with a resulting ciphertext 
of level T. The rule (Encrypt Secret ) imposes more restrictions for encryption under 
keys of level Secret, because the resulting ciphertext is of level Public. These restrictions 
enforce a particular format for the contents and the use of a confounder; the ciphertext 
must contain a first component of level Secret, a second one of level Any, a third one of 
level Public, and an appropriate confounder as final component. Note that there is no 
rule for encryption for the case where N is a term of level Any. 

Einally, typing rules for processes are collected in Table 25. 

The first four rules handle input and output processes. Rule (OUTPUT Public ) says 
that terms of level Public may be sent on a channel of level Public. Rule (OUTPUT 
Secret ) says that terms of all levels may be sent on a channel of level Secret, pro- 
vided this is done according to the correct format of a secret message. The two rules 
for input match these rules for output. Note that if M is a term of level Any and it is 
not known whether it is of level Public or Secret, then M cannot be used as a channel. 
The rule (Pair Split) breaks a term of level Public or Secret into two components, 
each assumed to be of the same level of the original term. The case where the origi- 
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Table 25 Typing rules for processes 



(Output Public ) (Dead) 

E\- M : Public E\- Mi : Public i= l..k E\- P \- E 

E^M{Mx,...,Mk).P £h 0 



(Par) 

E^P E\-Q 
E'rP\Q 



(Output Secret ) 

E\- M : Secret E\- P 

E h Ml : Secret E h M2 : Any E h M3 : Public 
£hM(Mi,M2,M3).P 



(Repl) (New) 

E\- P E,n :T ::L\- P 

E\-\P E\-{vn)P 



(Input Secret ) 

E\- M : Secret E,x\ : Secret, X2 '■ Any,X2 : Public h P 
E h M(x\ ,X2,X'i).P 



(Input Public ) (Pair Split) T e {Public, Secret} 

E\~M: Public E,xi '■ Public \~ P i=\..k E\~M:T E,x:T,y:T\-P 



E h M[x\ ,xic).P 

(Integer) T e {Public, Secret} 
E^M-.T E^P E,x:ThQ 

E h case M of 0 : P succ(x) : Q 



E h let (x,y) = M in P 

(Match) T, 5 e {Public, Secret} 
E\-M:T E\-N:S Eh P 

E\-[M is N]P 



(Decrypt Public ) T e {Public, Secret} 

E\-L:T Eh N -.Public E,xi : T h P i = l..k 

E h case L of {x\ ,,Xk}N in P 
(Decrypt Secret ) T ^ {Public, Secret} 

Eh L:T E h N : Secret E,x\ : Secret, X2 '■ Any,X2 '■ Public, X4 : Any h P 
E h case L of {x\,X2,X2,,xf}N in P 



nal term is known only to be of level Any is disallowed; if it were allowed, this rule 
would permit leaking whether the term is in fact a pair. The same holds true for rules 
(Match), (Integer) and (Decrypt). Rule (Decrypt Secret ) gives the level Any 
to the confounder in the message being decrypted, for lack of more accurate static in- 
formation but with no signihcant loss. Finally, note that there is no rule for decryption 
with a key of level Any. 

Properties of the Type System. The main property of the previous type system is that if 
a process P typechecks, then it does not leak the values of parameters of level Any. 

The secrecy property of well typed processes is formalized in the following theorem, 
where the notion of leaking is expressed via testing equivalence. 
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Theorem 10 (Secrecy). If only variables of level Any and only names of level Public 
are in the domain of the environment E , ifc and c' are two substitutions of values for the 
variables in E, and ifP typechecks, i.e. EP P, then Po and Pc' are testing equivalent, 
i.e. Pc ~ Pc'. 

The conclusion of theorem 10 means that an observer cannot distinguish Pc and 
Pc', so it cannot detect the difference in the values for the variables. Despite their 
secrecy, none of these variables is declared with level Secret ; however, the process 
P may produce terms of level Secret during its execution using the restriction opera- 
tor (e.g. it may construct fresh encryption keys). For instance, P may be the process 
{v K){vm){vn)c{{m,x,0,n}K) where x is of level Any and c is of level Public, and 
where we can assign the type Secret to the bound names K,m,n. Theorem 10 implies 
that P does not leak the value x, in the sense that P{x := M} and P{x := N} are testing 
equivalent for all closed terms M and N. Thus, the typing system is meant to protect 
parameters of level Any relying on dynamically generated names of level Secret 

7.3 An Example with Key Establishment 

We argued that the spi calculus enables more detailed descriptions of security protocols 
than the pi calculus. While the pi calculus enables the representation of channels, the 
spi calculus also enables the representation of channel implementations in terms of 
cryptography. 

As in the pi calculus, scoping is the basis of security in spi calculus. In particular, 
restriction can be used to model the creation of fresh, unguessable cryptographic keys. 
Restriction can also be used to model the creation of fresh nonces of the sort used in 
challenge-response exchanges. 

In this section we refine the example shown in Section 1, where we presented an 
abstract and simplified version of the Wide Mouthed Frog protocol. The following ex- 
ample is the cryptographic version of that of Section 1. In this protocol, the principals 
A and B share keys Kas and Ksb respectively with a server S. When A and B want to 
communicate securely, A creates a new key Kab, sends it to the server under Kas, and 
the server forwards it to B under Ksb- Since all communication is protected by encryp- 
tion, communication can take place through public channels, which we write cas,csb 
and CAB as in Section 1 . In addition to the keys and the payload M, the protocol mes- 
sages include the names of principals and confounders. Informally, a simplified version 
of this protocol is: 

Message 1: {Kab,*,{A,B),Ca}kas on cas 

Message 2: S -> {Kab,*, {A,B),Cs}ksb °n csb 

Message 3: A ^ B {*,M,*,C'a}kab on cab 

The channels cas,cbs,cab are public. The keys Kas,K$b are secret keys for communi- 
cation with the server, while Kab is the new secret key for communication from A to B. 
Ca,C'a,Cs are confounders, and * is an arbitrary message of appropriate level. In Mes- 
sage 1, A provides the key Kab to S, which passes it on to B in Message 2. In Message 
1 and Message 2, the pair (A,Z?) conveys the names of the users of the key. In Message 
3, A uses Kab for sending M. 




132 



Michele Bugliesi et al. 



In the spi calculus, we can express this message sequence as follows, where we 
assume that B, after receiving the message M from A, outputs an arbitrary message on 
a public cannel d: 

S = CAs{x).Case xof {xkey,X\,X2,Xcnf}KAs {'^ Cs)^{{xkey,Xl,X2,Cs}KsB) 

B = CBs{x) .case X of{xkey,X\,X2,ycnf}KsB in _ 

CAB (z) -case Z of{zi , Zdpher,Z2 , Zcfn }x^ in d{*)} 

Inst{M) ^ {vKas){vKsb){A{M) \ S \ B) 

Now, assuming that M is a term of type Any, and caSjCbSjCabA are channels of type 
Public, it is easy to prove that the process Inst{M) is well typed. As a consequence of 
the theorem 10, we have that the protocol above does not reveal the message M from A. 
In particular, we have Inst{M') ~ Inst{M") for arbitrary terms M' ,M" . 

Notice that also in this version of the Wide Mouthed Frog protocol, the use of scope 
extrusion is essential: A generates the key Kab and sends it out of scope to B via S. 

In the example discussed so far, channel establishment and data communication happen 
only once. More sophisticated examples may be written to represent many protocol 
sessions between many principals. However, as the intricacy of the examples increases, 
so does the opportunity for errors. Note that many of the mistakes in authentication 
protocols arise from confusion between sessions. See [6] for further examples. 

7.4 Secrecy Types for Asymmetric Communication 

Although so far we have discussed only shared-key cryptography, other kinds of cryp- 
tography are also easy to treat within the spi calculus. Many security protocols use 
asymmetric communication primitives, namely communication channels with only one 
fixed end-point (the receiver) and particularly public-key encryption. Compared to 
shared-key encryption, these primitives present special difficulties, partly because they 
rely on pairs of related capabilities (e.g. “public” and “private” keys) with different level 
of secrecy and scopes. 

In this section, we show a variant of spi calculus that focus on asymmetric commu- 
nication primitives, especially public-key encryption. This process calculus has been 
proposed by Abadi and Blanche! in [3], where authors also show a type system in which 
types convey secrecy properties and such that well typed programs keep their secrets. 

We consider a polyadic, asynchronous, variant of spi calculus that includes channels 
with only one fixed end-point (the receiver) and public-key encryption. Channels with 
fixed receivers can be used for transmitting secrets if the adversary cannot listen on 
those channels. On the other hand, the capability for sending on those channels may 
be published. Such channels may therefore convey not only secrets but also public data 
from the adversary. The type system will handle both cases. 

In addition, in a public-key encryption scheme, the capabilities of encryption and 
decryption are separate, and can be handled separately. Typically, the capability for 
decryption (the “private” key) remains with one principal, while the capability for en- 
cryption (the “public” key) may be published. Our process calculus and type system 
treat public-key encryption and communication on channels with hxed receivers analo- 
gously. 
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Table 26 Syntax of the process calculus 



Expressions L,M,N 



Processes P,Q,R 



a,...,p,k 

x,...,z 

0 

a{xi,...,Xk).P 
{va)P 
P I P 
\P 



name 

variable 

encryption {k > 0) 
stop 

output {k > 0) 

input {k > 0) 

restriction 

composition 

replication 

decryption (n > 0) 

conditional 



case M of {xi,. ..,x„}k’-P else Q 
if M = N thenP else Q 



The syntax of the process calculus is shown in Table 26. In order to deal with asym- 
metric communication, Abadi and Blanchet in [3] propose to follow the same approach 
of the local pi calculus [40]. 

In the local pi calculus, input is possible only on channels that are syntactically rep- 
resented by names (and not variables). Output is possible on channels represented by 
names or variables. Thus, the input capability for a channel a remains within the scope 
of the restriction (v a)P where a is created, while the output capability can be trans- 
mitted outside. Further, this approach is extended to public -key encryption, as follows. 
Decryption is possible only with keys that are syntactically represented by names (and 
not variables). Encryption is possible with keys that are represented by names or vari- 
ables. Thus we have a model where the encryption capability may be public while the 
decryption capability remains private, in the scope where it is generated. 

Thus, when a name a refers to a channel, it represents both end-points of the chan- 
nels, that is the capabilities for output and input on the channel. A variable can confer 
only the former capability, even if its run-time value is a. Similarly, a name k will not 
represent a single encryption or decryption key, but rather the pair of an encryption 
key and the corresponding decryption key. A variable can confer only the capability of 
encrypting, even if its value is k at run-time. 

As an example, consider the following process: 

{vk){a{k) I b{x).casexof {y}k:c{y)) 

This process relies on three public channels, a, b, c. It generates a fresh key pair k; out- 
puts the corresponding encryption key on a; and receives messages on b, filtering for 
one encrypted under k, of which it outputs the plaintext on c. 

The operational semantics of the calculus can be defined in a standard way using a 
reduction relation and a structural congruence relation, see [3] for details. 
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Secrecy by Typing. In the following we show a type system such that well typed pro- 
cesses are proven to keep their secrets. In particular, we use a concept of secrecy similar 
to that we discussed for the spi calculus and in Section 4 for the pi calculus. We say that 
a process preserves the secrecy of a piece of data M if the process never publishes M, or 
anything that would permit the computation of M, even in interaction with an attacker. 
Moreover, we think of an attacker as any process Q of the calculus, represented by the 
sets of its initial capabilities (i.e. the set of names on which it is able to output, input, 
encrypt, and decrypt). 

The types of our type system are defined by the following grammar: 

Types ■.:= Public \ Secret \ [Ti , . . . , | . . Jn] 

Let L range over {Public, Secret}, we will write C^[Ti,..., 7),]. We have a subtyping re- 
lation that is the least reflexive relation such that [7) , . . . , T„] < L and K^[Ti,...,T„] < 
L. Note that we do not have Secret < Public or vice versa. 

Public (resp. Secret ) is the type of public (resp. secret) data. . . ,Tn] is 

the type of a channel on which the opponent cannot send messages, and which car- 
ries M-tuples with components of types 7). Similarly, . . . , 7),] is the type of 

an encryption key that the adversary does not have, and which is used to encrypt n- 
tuples with components of types 7). is the type of a channel on which 

the opponent may send messages. The channel may be intended to carry n-tuples with 
components of types 7], but the adversary may send any data it has (that is, any public 
data) along that channel. Similarly, , . . . , 7),] is the type of an encryption key 

that the opponent may have. This key is intended for encrypting «-tuples with compo- 
nents of types Ti, but the adversary may encrypt any data it has (that is, any public data) 
under this key. 

We do not show the typing rules for this process calculus (see [3]), we only discuss 
the rationale of the type system. 



- Any public data can be sent on a channel of type or Public. This 

use of the channel may not seem to conform to its declared type. However, it is 
unavoidable, since we expect that an attacker can use the channel; moreover, it 
does not cause harm from the point of view of secrecy. 

- Since channels of type ,...,T„] may not be known by an attacker, we can 

guarantee that only tuples with types Ti,...,T„ can be sent on such a channel. 

- When typing the process a{xi,..,Xn).P where a is a channel of type T„], 

two cases arise. In the first case input values are of type Public, in the second case 
input values have the expected types Ti,...,T„. In order to typecheck the process 
a{xi,. . . ,Xn).P, the type system thus checks that the process P executed after the 
input is well typed in both cases. 

- When reading from a channel a of type , . . . , 7),], the input values must be 

of the expected types T\,. . . ,T„ since the channel a cannot be known to the attacker. 
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- Rules for encryption are similar to those for output. Any public data can be en- 
crypted under a public encryption key, and data of types 7\ , . . . , can be encrypted 
under a key of type K^\T\,...^ 71,]. Dually, rules for decryption are similar to those 
for input. 

- Ciphertexts are always of type Public. 

This type system reflects a binary view of secrecy, according to which the world is 
divided into system and attacker, and a secret is something that the attacker does not 
have. When we wish to express that a piece of data is a secret for a given set of princi- 
pals, we define the system to include only the processes that represent those principals. 
Note that the mechanism of group creation we discussed in Section 4, directly supports 
a rich view of secrecy that does not simply divide the world in two parts. Even if that 
approach does not treat cryptography, we think that the type system with group creation 
can be extended to deal also with cryptographic primitives. 

Properties of the Type System. We start with a lemma that says that every process is 
well-typed, at least in a fairly trivial way that makes its free names public. This lemma is 
important because it means that any process that represents an opponent is well-typed. 
It is a formal counterpart to the informal idea that the type system cannot constrain the 
adversary. 

Lemma 2. Let P be an untyped process. Iffn{P) C {ai,. . . ,a«},/v(P) C {xi,. . . ,Xm}, 
and Ti < Public for alli= \ . . .m, then ai : Public, ... ,an'. Public, x\ \Ti,...,Xm.TmP P. 

We end with an informal statement of the secrecy theorem, see [3] for a complete for- 
malization. 

Theorem 11 (Secrecy). Let P be a well-typed, closed process. Then P preserves the 
secrecy of names of type Secret against adversaries that can input, output, encrypt, 
and decrypt on names declared Public, and output and encrypt on names declared 
C^“^''^[...] [...]. 

As an example, we can obtain a\Public,s\Secret h {v k)d{{s}k,k) by letting k : 
[Secret]. Then the theorem above implies that the process {vk)d{{s}k,k) preserves the 
secrecy of s form any opponent that can input, output, encrypt, and decrypt on a. In 
other words, if Q is a closed process andfn{Q) C {a}, then Q \ {v k)d{{s}k,k) does not 
output s on a. Thus, assuming that Q does not have s in advance, Q cannot guess s or 
compute it from the message on a. 

7.5 Further Reading 

In [6], a final section shows how we could add to the syntax of pure spi calculus cryp- 
tographic operations such as hashing, public-key encryption and digital signature. 

A more general approach is that of [4], where authors introduce and study the so 
called applied pi calculus, a uniform extension of the pi calculus that is parameterized 
on a finite set of function symbols. Such functions can be instantiated as data structures 
(e.g. pairs) but also as cryptographic functions as hashing, (a)symmetric encryption, 
probabilistic encryption, message authentication codes (MACs). The main advantage 




136 



Michele Bugliesi et al. 



of applied pi calculus is that its semantics and proof techniques represent a common 
framework to reason about very different security protocols. 

Beside secrecy, other security properties can be studied in the context of spi cal- 
culus. As an example, see [6] for a formalization of authenticity property with testing 
equivalence. 

Finally, in [8, 7, 9] authors study the security properties of the join calculus (a vari- 
ant of pi calculus with an emphasis on distributed programming [28]) enriched with 
cryptography. 
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Abstract. Many secnrity properties of cryptographic protocols can be 
all formalized as specific instances of a general scheme, called Generalized 
Non Deducibility on Composition {GNDC). This scheme derives from the 
NDC property we proposed a few years ago for studying information flow 
in computer systems. The theory is formulated for CryptoSPA, a process 
algebra we introduced for the specification of cryptographic protocols. 
One of the advantages of our unifying GNDC-hased theory is that that 
formal comparison among security properties become easier, being them 
all instances of a unique general property. Moreover, the full generality 
of the approach has helped us in finding a few undocumented attacks on 
cryptographic protocols. 

This paper is based on the results of [20,22,23,24,25] and covers the 
second part of the course “Classification of Security Properties” given by 
Roberto Gorrieri and Riccardo Focardi at the FOSAD’OO and FOSAD’Ol 
schools. 



1 Introduction 

Many security properties of cryptographic protocols have been identified in re- 
cent years, such as secrecy (confidential information should be available only to 
the partners of the communication), authentication (capability of identifying the 
other partner engaged in a communication), integrity (assurance of no alteration 
of message content), non repudiation (assurance that a signed document can- 
not be repudiated by the signer), fairness (in a contract, no party can obtain 
advantage by ending the protocol first), and some others. 

Even if there is a widespread agreement on what is the intended meaning of 
these properties, under a closer scrutiny one realizes that they are very slippery 
properties, especially authentication. As a matter of fact, formal definitions of, 
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Fig. 1. Multilevel security: a high subject Si cannot write a low object O 2 and a low 
subject S 2 cannot read a high object Oi. 



e.g. authentication, have been given rarely, not widely agreed upon, usually not 
compared and only recently proposed in the literature (see, e.g., [5,27,33,42]). 
This is sometimes due to the fact that we first need a formal model on which 
the problem is defined (and this is often a source of possible proliferation of 
different proposals) and then a formal definition with respect to the chosen 
model. Moreover, even when a formal definition is given, usually this is not 
(easily) comparable to others, due to different mathematical assumptions of the 
model. 

Our claim is that a classic approach to security, used to study information 
flow in multilevel [6] computer systems, can be profitably used also for the anal- 
ysis of security properties in network protocols. 

1.1 Multilevel Security and Non-interference 

In a multilevel systems, processes/users and objects are bound to a specific 
security level (e.g., in the military jargon, unclassified, classified, secret and top 
secret) and information can only flow from low levels to higher ones. This is 
usually implemented by constraining the possible actions of processes according 
to the rules of no read-up and no write-down (see Fig. 1). 

The advantage of this approach with respect to conventional approaches used 
in commercially available operating systems (e.g., Unix) is that the possible 
information disclosures caused by the inadvertent execution of a Trojan Horse 
program is confined inside the level of the user that executed it. However, these 
two rules are not enough as indirect information flows, usually called covert 
channels, may be possible when using some shared resource. For instance, it is 
not difficult to build a Trojan Horse program that, once executed by a high level 
user, is able to downgrade information by synchronizing with a low level process 
on the system side-effects generated by repeatedly filling the shared hard disk: 
the high process can transmit a bit 0 by causing a disk-full error on the low level 
attempt to write, or a bit 1 by allowing the low process to write. 

To solve the problem of preventing unauthorized information flows, be they 
direct or indirect, in the last two decades many proposals have been presented. 
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starting from the seminal idea of non interference proposed in [26] for determinis- 
tic state machines. In recent work [17,18,19], two of the authors have studied the 
many non interference-like definitions in the literature, by defining all of them 
uniformly in a common process algebraic setting, producing the first taxonomy 
of these security properties reported in the literature. 

In [17,18,19], we use a CCS-like process algebra [38], called Security Process 
Algebra (SPA for short), where the set of actions is partitioned into two sets 
L and H of low actions and high ones, respectively. Processes built by using 
only actions in H (L) are called high (low) level processes. These processes are 
secure by construction, because their activities (expressed by the actions they 
perform) are confined inside the high (low) level. More interesting is the case 
of mixed (built with actions from both L and H) processes, because only for 
them information can flow between the two levels. Of course, we are interested 
in detecting if information flow in the wrong direction (from high to low) . Among 
the many non interference-like properties, we advocate a particular one, called 
Non Deducibility on Composition {NDC for short), that can be expressed as 
follows: 

P G NDC iff \/n €£h ■■ {P II n)\H « P\H 

where £h is the set of all high level processes, « is a behavioural equivalence^ 
relation, || is the CCS parallel composition and \ is the CCS restriction operator. 
Hence, on the one hand, P\H is able to exhibit only the low level behaviour of 
P, while {P II n)\H is the low level behaviour of P || U. The basic intuition is 
that the requirement of 

No information flow from high to low 
is expressed by the extensional, behavioural condition 
No high level process can change the low behaviour. 



1.2 Non-interference for Security Protocols 

When considering network security, other kinds of problems become relevant. In 
particular, communication protocols are executed on unreliable networks (hence, 
messages can be lost or duplicated) which are also insecure (hence, messages can 
be intercepted, fabricated and possibly modified by third, malicious parties that 
can control the network traffic). In order to achieve reasonable security services 
(e.g., secrecy of the transmitted data), network protocols typically exploits cryp- 
tographic primitives. Such enhanced protocols are usually called cryptographic 
protocols. 

In the analysis of cryptographic protocols, one has to cope with the insecurity 
of the network. So, it is assumed that an external, possibly malicious, attacker 
(sometimes called enemy or intruder) of the protocol has complete control over 
the communication medium. On the other hand, it is also usually assumed perfect 
cryptography, i.e., such an enemy is not able to perform cryptanalytic attacks: 

^ Actually, NDC in [17,18] is this property when ~ is trace equivalence; variations on 
the theme are obtained by changing the relation, e.g., BNDC is as above where « 
is weak bisimulation, as we will see in the sequel. 
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an encrypted message can be decrypted by the enemy only if he knows (or is able 
to learn) the relevant decryption key. Such an analysis scenario is often referred 
to as the Dolev-Yao approach [12]. 

In order to model cryptographic protocols, the SPA process algebra is en- 
riched with primitives for handling messages and cryptographic functions. The 
resulting process algebra is called CryptoSPA [25] . 

Correspondingly, the NDC-hased analysis technique for security in computer 
systems has to be adapted. NDC essentially says that a system P is secure if 
its low behaviour in isolation is the same as its low behaviour when exposed to 
the interaction with any high level process II. Analogously, we may think that a 
protocol P is secure if its (low) behaviour is the same as its (low) behaviour when 
exposed to the possible attacks of any intruder X. To set up the correspondence, 
this analogy forces to consider the enemies as the high processes. Since the enemy 
has complete control over the communication medium, the CryptoSPA public 
channels in set C (i.e., the names used for message exchange) are the high level 
actions. On the other hand, as a protocol specification is usually completely given 
by message exchanges, it may be not obvious what are the low level actions. In 
our approach, the low level actions are extra observable actions that are included 
into the protocol specification to observe properties of the protocol. Of course, 
the choice of these extra actions (and the place into the specification where 
they are to be inserted) is property dependent. For instance, we will see that 
to model some form of authentication as in [32], it is enough to include special 
start /commit actions for all the honest participants. 

Furthermore, enemies should not be allowed to know secret information in 
advance: as we assume perfect cryptography, the initial knowledge of an enemy 
must be limited to include only publicly available information, such as names 
of entities and public keys, and its own private data (e.g., enemy’s private key). 
Hence, by following [25,24,22], the set E'q of all the admissible attackers is as 
follows: Sfl = {X I sort{X) C C and ID{X) C where C is the set of 

public channel names, sort{X) is the set of channel names syntactically occurring 
in X, ID{X) is the set of messages that syntactically appear in X, (pj is the initial 
knowledge given to any enemy X, and 2? is a deduction system that manipulates 
(blocks of) messages in the obvious way (e.g., a crypted information can be 
disclosed if the decryption key is known). By requiring that all the messages 
in ID{X) are deducible from (/>/ we are stating that the enemy cannot know in 
advance messages that are not derivable by the explicitly given set </>/. The NDC 
property for a protocol P can hence be reformulated as: 

P G NDCc' iff VX G : (P II A) \ C « P \ C 

On the one hand, P \ C represents the secure specification of the protocol 
P running in isolation on perfectly secure channels. The visible behaviour of P 
is given by the property dependent, extra observable actions included into the 
specification. Hence, the behaviour of P \ C describes the protocol in isolation, 
where the security property of interest holds. On the other hand, if P \ C is 
equivalent to (P || X) \ C, then this clearly means that X is not able to modify 
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in any way the observable execution of P, i.e., the security property holds even 
when P is executed in any possible hostile environment with initial knowledge <Pi. 
Intuitively, in the setting of cryptographic protocols, interferences may represent 
possible attacks. As a consequence, non interference guarantees the absence of 
attacks. 

Interestingly enough, when the observational equivalence « is trace equiva- 
lence (two systems are equivalent if they perform the same set of traces), then 
NDC can be characterized in a simpler way, by finding a canonical, most general 
enemy that can be used in place of all. By removing the universal quantification, 
NDC can be verified by one single, albeit huge, check. The most general enemy 
is an attacker that can eavesdrop/intercept any message (adding the intercepted 
information to its knowledge set), as well as produce new messages with pieces 
of information he knows. 

1.3 The GNDC Scheme 

The Generalized NDC (CNDC) scheme [25,23] relaxes, in some aspects, the 
NDC property presented above, in order to express uniformly many security 
properties. As we will see in the next sections, it is general enough to capture 
many different properties of cryptographic protocols. To give the flavour of how 
CNDC works, we present a very simple example of a key-exchange protocol. For 
such a protocol, we consider two authentication properties and we show how 
they can be formalized in terms of observable events. Finally, we show how such 
formalizations can be seen as instances of CNDC. 

The simple key-exchange protocol we consider has the aim of distributing 
a fresh session-key Kg from Alice (A) to Bob (B) by using a long-term key K 
shared between such users. The new key Kg will be used by Alice and Bob to 
communicate inside the current session. Session-key distribution is a (standard) 
way to reduce the risk of cryptanalytic attacks on cryptographic keys, as it allows 
two parties to establish a new key for each new session. 

A^B-.{Kg,A}K 

The notation A ^ B : msg above represents A sending message msg to B; 
moreover {M}^ is used to denote the encryption of M with the key K. 

In order for this protocol to be effective, it must intuitively provide both 
authentication and secrecy of the session key Kg. In particular, B should be 
guaranteed that Kg really comes from A and that nobody else knows it. Both 
of these properties should be guaranteed by the encryption of Kg with K. Here 
we focus on authentication and we consider two variants of it: 

(i) key authenticity requires that key Kg is authentic from A; this should be 
guaranteed by the fact that only A and B know the long-term key K : when 
B decrypts the message he concludes that only A may have generated it. 
In case this property is required on a generic message M (not necessarily a 
key), we refer to it as message authenticity, 
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{a) entity authentication requires that, at the end of the protocol, B is con- 
vinced that A has been running the protocol with him; again, this should be 
guaranteed by the fact that only A and B know the long-term key K. 

In the following we show that the two properties above do not hold on the simple 
protocol we are considering, when multiple sessions are considered. 

Message Authenticity. A simple way to check message authenticity is to fix 
in advance the key Kg that A is willing to distribute to B and require that in all 
the possible (concurrent) runs of the protocol B always receives the correct key 
Kg, i.e. the key that A wanted to send to B. If this is true, we can conclude that 
the protocol guarantees that no one is able to force B accepting a fake session 
key K'g. This notion of message authenticity is due to Abadi and Gordon [2]. 

A first important thing to observe is that considering all the possible runs is 
not enough. At least we need to be more precise about what we mean by run. As 
a matter of fact, we have to consider all the possible executions of the protocol 
in every possible (potentially hostile) environment. It is certainly different if we 
consider the protocol execution with or without the presence of some malicious 
enemy which tries to send a fake K'g. We can thus rephrase the message (key) 
authenticity property as follows: 

“Whatever hostile environment is considered, B will never receive (as 
part of Message 1), during all of his possible runs, a key which is different 
from Kg" . 

Notice that the property above looks really ad-hoc for the specific protocol we 
are considering. As a matter of fact, we are requiring that a particular piece 
of information sent inside a particular message differs from a certain fixed key 
Kg. This specificity is a quite typical aspect of precise definitions of security 
properties, since they often depend on the structure of the analyzed system or 
protocol. We can improve the generality of the property by assuming to have 
an event received{m) corresponding to the reception of message mhy B and by 
denoting with P{k) the protocol specification in which Alice is willing to send 
the session-key k to Bob. We can now state that 

“P{Kg) guarantees message (key) authenticity if whatever hostile envi- 
ronment is considered, an event received{K'^) with ^ Kg can never 
occur” . 

We can now show that the simple protocol we have considered so far does not 
guarantee message authenticity, when more than one protocol session is possible. 
The flaw is due to a well-known replay attack, that allows the enemy to make B 
accept an old session key. This is very dangerous as the enemy could have time 
to break an old session key and force B using such a broken key again. Knowing 
the key, the enemy can completely impersonate A in the just established session. 
The attack sequence follows: 

message la A ^ B : {Ks,A}k The enemy stores this message 

message 16 E(A) — >■ B : {Ks,A}j^ The enemy replays the old message 

E(A) denotes the enemy impersonating A. 
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To see why this attack is revealed by the definition of message authenticity 
we have given, it is sufficient to consider the situation in which two (sequential) 
instances of P are considered, with two different keys: P{Kl), P{K^). Now it 
is easy to see that P{Kl) does not guarantee message authenticity. Indeed, the 
enemy may exploit the attack sequence above to make the B of P{Kl) accept 
the session key K\ exchanged in the first session P{Kl). As a consequence B 
will produce the event received(Kl) instead of the expected one received(Kg). 
This may be depicted as follows: 

message la A^B:{Ks,A}k received{Kl) 

message 16 E,{A) ^ B : {Ks,A}k received{Kl) 

Entity Authentication. We now consider another security property: entity 
authentication. This property is more subtle. Informally, entity authentication 
should allow the verification of an entity’s claimed identity, by another entity. 
There are several attempts in the literature to formalize this notion. Here, we 
follow the ones based on correspondence between actions of the participants (see, 
e.g., [28,33,45]). 

As an example, in our protocol we would like that whenever B receives 
the protocol message (encrypted with the correct key) then A has indeed ex- 
ecuted the protocol with him. To formalize this idea, we consider two events 
commit{B,A) and run{A,B) representing the fact that B has successfully ter- 
minated the protocol apparently with A and A has at least started the protocol 
with B. It is now sufficient to require that each event commit{B,A) is always 
matched by an event run{A, B) [33]. In other words commit{B , A) should never 
happen if A has not started the protocol. We state entity authentication as 
follows: 

“P guarantees entity authentication of B with respect to A if, whatever 
hostile environment is considered, an event commit{B , A) can never oc- 
cur without a matching event run{A, BY . 

Note that the same attack considered for message authenticity is also an attack 
for entity authentication: 

message la A ^ B : {Ks,A}k run{A,B), commit{B,A) 

message 16 E,{A) ^ B : {Kg, A}k commit{B,A) 

Notice that in the second message we have an event commit{B,A) without 
the matching event run{A,B), representing the fact that A is not running the 
protocol in the second session. This captures the replay attack performed by E, 
in which E impersonates A. We conclude that B cannot be guaranteed of the 
identity of the claimant, i.e., P does not guarantee entity authentication. 

Remark 1. Entity authentication and message authenticity are different proper- 
ties. As an example, if we do not have a message “to be sent” by the entity that 
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we want to authenticate, message authenticity property becomes senseless. To 
see this point, consider the following (faulty) authentication protocol: 

message 1 A ^ B : {Na}kab run{B, A) 

message 2 B ^ A : Na commit{A, B) 

In order to verify the identity of B, A sends a challenge Na (typically a random 
number used only once, called nonce) to B encrypted with the symmetric key 
Kab which is only known by A and B. Only B should be able to decrypt Na 
and send it back to A. If A may play both the initiator and responder role 
in parallel sessions of the protocol, the following well-known reflection attack 
becomes possible: 

message 1 A — >• E(B) : {Na}kab 

message 1' E(i?) — >• A : {Na}kab 

message 2' A — >• E(B) : Na 

message 2 E(i?) — >• A '■ Na commit{A,B) 

The enemy intercepts the first message and starts a new session of the protocol 
with A. Basically, the enemy uses this second session to obtain from A the value 
Na- Finally the enemy can conclude the first session successfully masking as B. 
Note that, again, we have a commit{A, B) event with no run{B,A). 

Notice that B has no private messages to send to A, thus it is not possible to 
express the attack above as an attack on message authenticity. Indeed, B does 
not send any message to A that should be authentic from him. 

The General Scheme. We have seen that the two different properties of mes- 
sage authenticity and entity authentication, can be both specified by requiring 
that whatever hostile environment is considered, the protocol never shows some 
particular bad behaviour. We have also observed that this set of bad behaviours, 
in general, depends on the particular property and sometimes may also depend 
on the protocol P. For example, for message authenticity we need the parameter 
TO of P in order to require that to is the message to be delivered. We take a 
complementary approach (that is more manageable), and we denote with as{P) 
the set of all possible good behaviour of P with respect to the security property 
S. Moreover we denote with 7 s (P) the protocol P decorated with the suitable 
events of property S. Informally, our general scheme becomes the following: 

“P guarantees a security property S if, whatever hostile environment is 
considered, 7s(P) always shows behaviours in o;s(-f’)”- 

The considerations above are at the base of the proposal of a uniform formal 
framework where security properties can be defined. The proposed schema, called 
Generalized NDC {GNDC for short), is as follows: 

P is GNDCff’°^^ iff \/X G Sp : ( 7 s(P) |1 X) \ G < as{P) 

where <1 is a behavioural preorder, i.e., P <\ P' means that all the behaviours 
shown by P are also shown by P' . 
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GN DC2^’°‘^ corresponds to the informal scheme sketched above. Indeed, 
X G selects enemies with a knowledge limited by (j)i. Then, the decorated 
protocol 7 s (P) executed with X is required to show behaviours inside the set 
as{P) of good ones. 

Given the GNDC scheme, we can define a specific property S by suitably 
instantiating the function as{P), the preorder <l and the decoration function 
7s. We will see that many (network) security properties can be instantiated in 
the GNDC scheme. Here, we informally show how this is achieved for non inter- 
ference (formalized as NDC), message authenticity and entity authentication: 

— Non-interference (NDC): aNi{P) = P \ C, <1 is « and 7^7 (P) = P. We 
obtain the exact definition of NDC. 

— Message authenticity: aMA{P{M)) is the process where event received{M') 
may only occur with M' = M. <\ is the trace-preorder, i.e., P <l P' if all 
the execution sequences (i.e., trace) of P are execution sequences of P' and 
1ma{P) is the process that suitably performs received{m), whenever the 
supposedly authentic message m is delivered by the protocol. 

— Entity Authentication: q;_e^(P) is the process where events commit{B,A) 
are always preceded by matching events run{A, B); <l is the trace-preorder, 
as above, and ')ea{P) is the process that suitably performs run{A, B) and 
commit {B, A), whenever A starts the protocol with B and B concludes the 
protocol convinced to communicate with A, respectively. 

1.4 Plan of the Paper 

The primary goal of this paper is to substantiate our claim that most (maybe 
all) security properties proposed for the analysis of cryptographic protocols are 
expressible as suitable instances of the GNDC schema above, by suitably choos- 
ing the property dependent (low) observable actions, the position where they 
are to be inserted into the specification, as well as a suitable behavioural equiv- 
alence. One interesting result that holds for trace semantics is that, once fixed 
the function 7 , NDC is the strongest property in the GNDC°" family, for any 
choice of the function a. 

We think that the advantages of our approach include at least the following: 

— formal comparison: as the definitions are now given in a uniform style, it 
should be easier to compare the relative merits; this is especially true for 
slippery properties such as the many varieties of authentication. 

— one check for all: As all the properties are defined in the same NDC style 
and NDC is the strongest property, it is possible to put into the specification 
the extra actions for all the properties of interest, hence obtaining that one 
successful NDC check for this rich case implies that all the properties are 
satisfied. 

— accuracy: So far we have analyzed about 40 protocols (with the help of 
an automatic tool [13,15]) of a well-known library of crypto-protocols [10]. 
Two supposedly correct protocols have been shown incorrect and for a few 
additional flawed protocols some new attacks have been found (see [14] for 
details). Our experience hence supports our claim that a protocol passing 
the NDC test is more likely to be flaw free. 
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The paper is organized as follows. Section 2 introduces the process algebra 
CryptoSPA that we use to formally define cryptographic protocols. Section 3 
describes how the non interference approach, developed for SPA in [17,18,19], 
is rephrased over CryptoSPA. In particular, we study how to describe security 
properties by decorating the protocol specification with specific low level ac- 
tions; we also study when an attacker (or enemy) is admissible (by imposing 
restriction on its initial knowledge) and, finally, the behavioural semantics for 
CryptoSPA we are interested in (trace, bisimulation), over which the NDC the- 
ory is parametrized. Section 4 addresses some technical problems we have to 
face in order to perform cryptographic protocol verification. For instance, the 
problem of finding the most general enemy, in order to remove the universal 
quantification in the NDC definition, as well as the problem of compositionality 
of secure cryptographic protocols. In Section 5 the general GNDC scheme is 
presented, as well as its instantiation to several security properties, including se- 
crecy, message authenticity, entity authentication, non repudiation and fairness. 
Section 6 provides some formal comparison among security properties. Among 
the results reported there, we mention the proof that NDC is the strongest prop- 
erty in the CNDC family. Section 7 concludes the paper with some comparison 
with related work and some suggestions for future research. 

2 The Model 

In this section we describe the language we use for the specification of crypto- 
graphic protocols and their security properties. It is called Cryptographic Security 
Process Algebra (CryptoSPA for short), and is a variant of value-passing CCS 
[38], where the processes are provided with some primitives for manipulating 
messages [36]. In particular, processes can perform message encryption and de- 
cryption, and also construct complex messages by composing together simpler 
ones. 

2.1 The CryptoSPA Syntax 

The CryptoSPA syntax is based on the following elements: 

~ A set I = {a, 6, . . .} of input channels and a set O = {a,b, . . .} of output 
channels, related through a function “:/UO— >-/UO which given an input 
a € I returns the corresponding output d G O and vice-versa, i.e., d = a. 

— A set M of basic messages. The set M of all messages is defined as the least 
set such that M C M and Vm, m',k £ M we have that (m, m') (pairs) and 
{m}fc (encryptions) also belong to M. 

— A set C C / U O of channels, ranged over by c, such that c G C iff c G C; 
these public channels represent the insecure network on which the enemy can 
intercept and fake messages. Channels in {lUO)\C are the private channels. 

— A function Msg : ID O — >■ V{M) which maps every channel c into the set of 
possible messages that can be sent and received along such a channel. Msg 
is such that Msg{c) = Msg{c). 
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— A set Act = {c{m) | c G /, m G Msg{c)} U {cm | c G 0,m G Msg{c)} U {r} 
of actions (t is the internal, invisible action), ranged over by a (with abuse 
of notation). 

— A set Var of variables, raged over by x. 

— A set Const of constants, ranged over by A. 

The set £ of CryptoSPA terms (or processes) is defined as follows: 

P::=0 I c(x).P I ce.P \ t.P \ P + P \ P\\P \ P\L \ P[f] \ 

I [c — e \P, P I [(ci . . . Cj-} ^rule ^\Pj P | A(ci, • ■ ■ , Cyi) 

where e, e', ei, . . . , Cr are messages or variables, A is a set of input channels and 
/ : Act I— Act is a function that relabels channel names inside actions^ and may 
also relabel actions into the internal (invisible) action r. Both the operators 
c{x).P and [(ci . . . e^) \~mie x\P] P' bind the variable x in P. 

Most of the CryptoSPA operators are the same as in value-passing CCS. 
Intuitively, 0 is the empty process, which cannot do any action; c{x).P reads 
a value v from channel c and then behaves as process P in which all the free 
occurrences of x are replaced by v; symmetrically, ce.P sends e as output on 
channel c then behaving as P; t.P can do an internal action r and then behaves 
like P; Pi + P 2 can alternatively choose^ to behave like P\ or P 2 ; Pi || P 2 is 
the parallel composition of Pi and P 2 , where the executions of the two systems 
are interleaved, possibly synchronized on complementary input/output actions, 
producing an internal r; P\L can execute all the actions P is able to do, provided 
that inputs and outputs are not performed over channels belonging to L; if P 
can execute action a, then P[f] performs /(a); finally, [e = e']Pi; P 2 behaves like 
Pi if e = e' and like P 2 otherwise. 

Besides the above described standard value-passing CCS operators, we have 
an additional one that has been introduced in order to model message handling 
and cryptography. Informally, the [(mi . . . m-r) \~ruie a^]Pi;P 2 process tries to 
deduce a piece of information z from the tuple of messages (mi . . . m^) through 
one application of rule \~ruie', if it succeeds, then it behaves like Pi [z/x], otherwise 
it behaves like P 2 . See the next subsection for a more detailed explanation of 
derivation rules. 

Finally, let Def : Const 1 — >■ £ be a set of defining equations of the form 

def 

A{x\, . . . , Xn) = P, where P may contain no free variables except x\, . . . , x„, 
which must be distinct. Constants permit us to define recursive processes, but 
we have to be a bit careful in using them. A term P is closed with respect 
to Def if all the constants occurring in P are defined in Def (and, recursively, 
for their defining terms). A term P is guarded with respect to Def if all the 
constants occurring in P (and, recursively, for their defining terms) occur in a 
prefix context [38] . A term P is finite with respect to Def if the set of constants 

^ The relabeling functions map channels in C to channels in C and channels in (/ U 
O) \ C to channels in (/ U O) \ C. 

® For notational convenience, we use sometimes the 50 operator (indexed on a set) to 
represent a general n-ary (or even infinitary) sum operator. 
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Fig. 2. Inference System for message manipulation, where m, m' , k,k ^ £ M. 



occurring in P or, recursively, in their defining terms is finite. We call £ the set 
of all the CryptoSPA closed terms (i.e., with no free variables), that are closed, 
guarded and finite with respect to Def. Terms in £ are usually called CryptoSPA 
processes. Let sort{P) denote the sort of P, i.e., the set of channels occurring 
syntactically in P. With £c we denote the processes P such that sort{P) C C. 

For the sake of readability, we always omit the termination 0 at the end of 
process specifications, e.g., we write a in place of a.O. We also write [m = m']P 
in place of [m = m']P;0 and analogously for [(toi . . . m^.) \~ruie x]P;0. Finally, 
we often replace constructive rules (encryption and pairing) with the resulting 
messages, e.g., we use c{m}k as a shorthand for [{m,k) \~enc x\cx. 



2.2 The Operational Semantics of CryptoSPA 

In order to model message handling and cryptography, CryptoSPA may be 
equipped with a set of suitable inference rules (inference system). Note that 
CryptoSPA syntax, its semantics and the results obtained herein are completely 
parametric with respect to the chosen inference system. For explanatory pur- 
poses, in Figure 2 we provide a simple inference system which is quite simi- 
lar to those used by many authors (see, e.g., [32,34]). However, it is possible 
(and easy) to adopt other rules, e.g., for modeling different kinds of crypto- 
graphic approaches as well as cryptographic weaknesses. We consider a function 
M ^ M which denotes, for each key k (i.e., a message possibly used as 
encryption key), the corresponding decryption key. Note that there are no rules 
to obtain the message k~^ from k (and vice-versa). In particular the inference 
system can combine two messages obtaining a pair (rule \~pair)', it can extract 
one message from a pair (rules \~fst and F^n^); it can encrypt a message m with 
a key k obtaining {m}k and, finally, decrypt a message of the form {m}k only 
if it has the corresponding (inverse) key k~^ (rules \~enc and \~dec)- As an ex- 
ample, process [{{m}k,k~^) \~dec x]Pi; P 2 decrypts message {m}fe through the 
inverse key k~^ and behaves like Pi[m/x], while [{{m}k,k') \~dec x]Pi; P 2 (with 
k' ^ k~^) tries to decrypt the same message with the wrong inverse key k' and 
(since it is not permitted by \~dec) it behaves like P2. 

Given an inference system, we say that a message m can be deduced from a 
set of messages <j) whenever there exists a proof tree whose nodes are messages, 
such that the root is m, the leaves are contained in (j) and each message in the 
tree may be obtained by applying a rule instance of the inference system whose 
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Fig. 3. Operational semantics (symmetric rules for + 1 , \L, ||j^ and Hj are omitted). 



premises are the descendants of the message in the tree. We consider a function 
T>, from finite sets of messages to sets of messages, such that V((j)) is the set of 
messages that can be deduced from (f). We assume that P(</>) is a decidable set. 

Note that, in our model, we are assuming encryption as completely reliable. 
Thus, we do not allow any kind of cryptographic attack, e.g., the guessing of 
secret keys. Nevertheless, the goal of the theory we are going to present is to 
capture those attacks that can be carried out even if cryptography is completely 
reliable. The behavior of a CryptoSPA term is formally described by means of 
the labeled transition system (S,Act,{ — >}aeAct), where — >aeAct is the least 
relation between CryptoSPA terms induced by the axioms and inference rules of 
Figure 3. 

The behaviour of a specific term P is the portion of the above labelled tran- 
sition system, which is reachable starting from the state P. We write P = P' if 
P and P' show exactly the same behaviour, i.e., if they have isomorphic labelled 
transition systems, up to state renaming. 

Example 1. We give a simple example of CryptoSPA protocol specification. Con- 
sider again the (flawed) key exchange protocol we presented in section 1.3: 

A^B-.{Ks,A}k 

It can be specified as the following CryptoSPA process P: 

P = c{Ks,A}k-A'(Ks) II c(y).[{y,K) \~dec \-pt z].B'(z) 

where K~^ = K (symmetric encryption) and Msg(c) = Ai. Moreover, A'(Ks) 
and B'(z) represent the eontinuations of A and B, respectively, that will pre- 




152 



Riccardo Focardi, Roberto Gorrieri, and Fabio Martinelli 



sumably communicate using the just established session key Kg. Notice that in 
B'{z), variable z is bound to the received session key. 

We want to analyze the execution of P with no intrusion; we thus consider 
P\ {c}, since the restriction guarantees that c is now a secure channel between 
A and B (no external attacker can access channel c) . We obtain a process whose 
only possible execution is the correct one where A sends to B message {Ks,A}k- 

P\{c}^{A'{Kg) II [{{Kg,A}K,K)h^ggw][whfgtz]B'{z))\{c} 

^ {A' (Kg) II B'(i^.))\{c} 

Notice that, after the message exchange, the two continuations A'{Kg) and 
B'{Kg) share the correct session key Kg. 

3 Non-interference for CryptoSPA 

In this section we want to rephrase the non-interference theory developed for 
SPA to the richer setting of CryptoSPA. The following subsections are devoted 
(z) to illustrate how security properties can be specified by decorating suitably 
protocol specification, then {ii) to discuss the actual definition of admissible 
attackers and, finally, {Hi) to study behavioural semantics for CryptoSPA over 
which the GNDC theory is parametrized. 

3.1 Decorating Protocol Specifications 

The first problem is to understand what are the high level actions and the low 
level ones in this setting. NDC essentially says that a system P is secure if its 
low behaviour in isolation is the same as its low behaviour when exposed to the 
interaction with any high level process 7 T. Analogously, we may think that a 
protocol P is secure if its (low) behaviour is the same as its (low) behaviour 
when exposed to the possible attacks of any intruder X. 

To set up the correspondence, this analogy forces to consider the enemies as 
the high processes. Since the enemy has complete control over the communica- 
tion medium, the CryptoSPA public channels in set C (i.e., the names used for 
message exchange) are the high level actions while the private channels in set 
(/UO)\C are the low level ones. As a protocol specification is usually completely 
given by message exchanges, it may be not obvious what are the low level ac- 
tions. In our approach, they are extra observable actions that are included into 
the protocol specification to observe properties of the protocol. Of course, the 
choice of these extra actions (and the place into the specification where they are 
to be inserted) is property dependent, as we will see in the next section. 

This idea of decorating a protocol with extra low level actions is formalized 
by considering a function 7, such that 7(P) represents protocol P decorated 
with suitable low level actions. The decoration function 7 should not affect the 
protocol behaviour, as its only purpose is to allow observing such a behaviour. 
This is achieved by explicitly requiring that j{P) behaves as P once the low level 
extra actions have been hidden (i.e., transformed into internal non-observable 
actions) . 
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Let f((iuO)\C) be the relabelling function that maps all the actions in ((/ U 
O) \ C) into T and let « denote a suitable behavioural equivalence such that 
P K, P' only if P and P' behaves the same (equivalences of this kind will be 
formally defined in section 3.3). 

Definition 1. A function j : Sc ^ £ is a decoration function if for every 
CryptoSPA protocol P such that sort{P) C C , we have P « 7(L*)[/((/uO)\C)]- 

We will see that the requirement above for 7 functions may be easily achieved 
by considering 7 ’s that decorate the protocols by only adding output actions, 
i.e., actions that simply make public some internal protocol values and do not 
modify the protocol execution by reading new values. 

Example 2. Consider again the CryptoSPA protocol specification of example 1: 

P = c{Ks,A}k-A'{Ks) II c{y).[{y,K) \~dec w][w \~fst z].B'{z) 

Recall that it models the (flawed) key exchange protocol we presented in sec- 
tion 1.3: 

A^B:{Ks,A}k 

In such a section we discussed how both message authenticity and entity au- 
thentication might be verified by observing the suitable events received(Ks) 
and run{A, B), commit{B , A), respectively. Here we show how such events may 
be added to the specification P. We consider two decoration functions 7ma and 
'-fEA such that: 

1ma{P) = c{Ks,A}k-A'{Ks) \\c{y).[{y,K) \~dec w][w \~fst z\.received{z).B' {z) 
1 ea{P) = rTm{A,B).c{Ks,A]K-A'{Ks) 

II c{y).[{y,K) \~dec b/st z].commit{B,A).B'{z) 

'Yma{P) behaves as P apart from the fact that it sends the session key received 
by B on the low level channel received] ■Jea{P) only modifies P by perform- 
ing the two low level outputs run{A, B) and commit{B,A) when A starts the 
protocol and when B concludes it, respectively. Notice that these decorations 
do not change the protocol behaviour observed on channel c. As an example, 
7ma(P)[/((/uO)\C)] corresponds to the protocol 

c{Ks,A}k-A'{Ks) II c{y).[{y,K) \~dec w][w \~fst z].t.B'{z) 

which is equivalent to P for any reasonable weak (i.e., ignoring t’s) behavioural 
equivalence. 

3.2 The Enemy 

Intuitively, an enemy can be thought of as a process which tries to attack a 
protocol by stealing and faking the information which is transmitted on the 
CryptoSPA public channels in set C. In principle, such a process could be mod- 
eled as a generic process X which can communicate only through the channels 
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belonging to C. However, in this way we obtain that X is a too powerful at- 
tacker. A peculiar feature of the enemies is that they should not be allowed to 
know secret information in advance: as we assume perfect cryptography, the ini- 
tial knowledge of an enemy must be limited to include only publicly available 
information, such as names of entities and public keys, and its own private data 
(e.g., enemy’s private key). If we do not impose such a limitation, the attacker 
would be able to “guess” every secret information, as illustrated in the following 
example. 

Example 3 . Consider again the protocol P of Examples 1 and 2 . Since only A 
and B know kAB, this protocol should guarantee the authenticity of mA even in 
the presence of an enemy, when only one protocol session is considered (we have 
seen that authenticity is not guaranteed for multiple sessions). We assume that 
c G C is a public channel and we consider the following attacker that belongs to 

Sc- 

X{m,a,k) = c{to, a}fc 

Notice that this process may only communicate over the public channel c, i.e., 
sort{X{m, a, k)) ={c}. Consider now X{Kx,A, kAs), which knows kAB and can 
consequently send a faked message {Kx, A}k^s to B. In order to observe this, 
we consider the decorated protocol jMAiP) “under the attack” of X (note that 
we put X inside the scope of restriction) : 

{ima{P) II X{Kx,A, kAB)) \ C 

After one r communication step, the process above can perform received {Kx, A) 
which represents the fact that B has received Kx instead of mx- This happens 
since we are considering an attacker X(Kx, A,kxB) which is in some sense 
“guessing” kxB (A knows kxB in advance). As we are interested in attacks that 
can be carried out even when cryptography is completely reliable, we would like 
to forbid such infeasible attacks by restricting the set of admissible enemies. ■ 

The problem of guessing secret values can be solved by imposing some constraints 
on the initial data known by the intruders. Given a process P, we call ID{P) the 
set of messages that occur syntactically in P. More formally, we define ID{P) 
as I{Pt%), where I : E x V{Const) — ^ P{M) is given in Figure 4 . Informally, 
I{P, V) is a function that recursively visits the sub-terms of P and the body of 
the constants used. The argument V is used to check that the unwinding of a 
constant definition is performed only once. 

def 

Example 4 - Consider A(toi), where A{x) = ca ;.0 || cm2.A(m3). Note that: 

I (Aims), {A}) = {m3} 

I{cx. 0 ,{A}) =/(Q,{A|) =0 

I{cm2.A{m3),{A}) = {m2} U I(A(m3), {A}) = {m2, m3} 

7 (A(a;),{A}) = I{cx. 0 ,{A}) U I{cm2-A{m3),{A}) = {m2, m3} 

/(A(mi), 0 ) = {mi}A I{A{x),{A}) = {mi, m2, m3} 



Thus, we have ID{A{mi)) = /(A(mi), 0 ) = {mi, m2, m3}. 
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1(0, V) = 0 

I(c(x).P,V) = I(P,V) 

I(ce.P,V) = get—msg(e) U I (P, V) 

I(t.P,V) = I(P,V) 

I(Pl + P2, V) = I(Pl, V) U I(P2, V) 

I(Pl II P2, V) = /(Pi, V) U I(P2, V) 

I(P\L,V) = I(P,V) 

I(P[f],V) = 1(P,V) 

[ Uie{i,...,«} get-msg(ei) ii A e V 
I(A(ei, 6n), V) = I(P, V U {^}) U Ui6{i,...,n} 9et-^sg(ei) 

otherwise 

where A(xi, . . . ,Xn) '= P 

I([e = e']Pi; P 2 , V) = get—msg{e) U get-^sg(e') U /(Pi, V) U /(P 2 , V) 
/([(ei ...er) l-ruie 3i]Pi;P2,P) = (Uie{i , . . . ,r} get-msg(ei)) U I(Pi,V) U I(P 2 ,V) 

where 

/ \ r { e| if e is a message 
flet-ms 3 (e) = |^ if e is a variable 



Fig. 4. Definition of /(P, V). 



Now, let (j)i C M he the finite, initial knowledge that we would like to give 
to the intruders, i.e., the public information such as the names of the entities 
and the public keys, plus some possible private data of the intruders (e.g., their 
private keys or nonces). For a certain intruder X, we want that all the messages 
in ID(X) are deducible from (f>j. 

Definition 2. Given a finite set 4>i C Xi, called the initial knowledge, we define 
the set 0 / admissible enemies as S'q = {X G S \ sort(X) C C and ID(X) C 

V(fj)}. 

To see how prevents the problem presented in Example 3, consider again 
the enemy X(Kx, A,kAB) of that example. To indicate that kAB is secret, we 
can now require that kAB ^ 'h’if’i)- Since ID(X(Kx,A,kAB)) = {Kx,A,kAB}, 
we finally have that X(Kx,A, kxB) ^ E^ . 

3.3 Behavioural Semantics 

In this section we define some well-known behavioural semantics that we will 
use in order to formalize security properties. As mentioned in the Introduction, 
NDC as well as our general GNDC scheme is parametric with respect to the 
chosen semantic preorder (or equivalence). The relevant ones for this paper are 
essentially two: trace and weak bisimulation [38]. 

Trace Semantics. Most of the security properties that have been proposed 
for the analysis of security protocols are based on the simple notion of trace'. 
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two processes are equivalent if they show exactly the same execution sequences 
(called traces). Let us consider the following relations between CryptoSPA terms: 
P P' (or P P') if P — ^ P' , where — ^ is the reflexive (hence P P 
always holds) and transitive closure of the relation; and then P P' if 
P ^ ^ > P' 

For a trace a = oi . . . a„ we write P P' if P =k^ P\ 

Pn-i P' for some Pi, , P„_i. We say that P' is a derivative of P if there 
exists a trace a such that P P'. 

The set Tr{P) of traces associated with P is then defined as Tr{P) = {a € 
(Act\{r})* I 3P' : P=^ P'}. 

Definition 3. Let P,Q € S. We write P <trace Q iff Tr{P) C Tr{Q). We also 
say that P and Q are trace equivalent (notation P ^trace Q) iff P < trace Q and 

Q —trace P • ® 



Example 5. Consider again the protocol P and the (too powerful) enemy process 
X{Kx,A,kAB), both discussed in Example 3. It is easy to see that 

{1Ma{P) II X{Kx,A, kAs)) \ C ^trace JMa(P) \ C 



Indeed, 

Tr{{lMA{P) II X{Kx,A,kAB)) \C) = {received{Kx, A), received A)} 
Tr{jMA{P) \C) = {received {Ks, A)} 

This proves that X is able to attack the protocol, by guessing the key kAB- ■ 

We can also prove that the trace preorder is preserved by the parallel composition 
and by the restriction operator. 

Proposition 1. Let P,Q, R G S be three processes and L a set of input channels. 
If P "Eitrace Q then. P II P ^trace || P and P \ L "Eitrace Q\ L. H 



Weak Bisimulation. The general notion of bisimulation [38] consists of a mu- 
tual step-by-step simulation, i.e., given two processes E and P, when E executes 
a certain action moving to E' then F must be able to simulate this single step 
by executing the same action and moving to a term F' which is again bisimi- 
lar to E' , and vice-versa. A weak bisimulation is a bisimulation which does not 
care about internal r actions, i.e., when P simulates an action of E, it can also 
execute some t actions before or after that action. 

We write E E' for E E' ii a G C, and for P(A-)*P' if a = r (note 
that requires at least one r labelled transition while corresponds to 
(—>■)* and means zero or more r labelled transitions). 

The notion of weak bisimulation is defined as follows. 
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Definition 4 (Weak Bisimulation). A binary relation S C E x E over pro- 
cesses is a weak bisimulation if (E,F) € S implies, for all a G Act, 

— whenever E A E' , then there exists F' such that F F' and {E', F') € S; 

— whenever F A F' , then there exists E' such that E =A E' and {E' , F') G S. 

Two processes E,F G E are (weakly) bisimulation equivalent, denoted by E psus 
F, if there exists a weak bisimulation S containing the pair (E,F). 

In [38] it is proved that '^bis is the largest weak bisimulation and it is an 
equivalence relation. 

NDC for CryptoSPA. The family of security properties NDCq' for Cryp- 
toSPA, for any choice of the initial knowledge and for any choice of the 
behavioural semantics « is defined as follows. To simplify the notation, we will 
write P\\qX as a shorthand for (P || X)\C. 

Definition 5. Let P G E be a decorated CryptoSPA process and « one of the 
behavioural equivalences presented in the previous section. We say that 

P G NDCc' iff VA G : P II A « P \ C 

c 

On the one hand, P \ C represents the secure specification of the protocol P 
running in isolation on perfectly secure channels. The visible behaviour of P 
is given by the property dependent, extra observable actions included into the 
specification. Hence, the behaviour of P\C should describe the security property 
of interest. On the other hand, if P\ C is equivalent to P |A A, then this clearly 
means that A is not able to modify in any way the observable execution of P, 
i.e., the security property holds. 

Strictly speaking, NDC is used to denote the specific instance in the family 
when « is ~tracei E^nd BNDC when « is '^bis- Moreover, for notational conve- 
nience, if the behavioural semantics is a preorder O, then the associated NDC 
variant is denoted with NDC^^. 

4 Verification and Compositionality 

In this section we want to address the issue of formal verification of the NDC 
properties on cryptographic protocols. 

First we will address the issue of the existence, in dependence of the be- 
havioural semantics, of a most powerful enemy {mpe, for short), in such a way 
that the universal quantification over all possible enemies can be removed in 
favour of a single check against such a mpe. 

We will also study the related problem of how to circumvent the universal 
quantification in the absence of a mpe (this is the case when the semantics is 
weak bisimulation) by, e.g., resorting to properties stronger than NDC (based 
on bisimulation). 

Then we will address the issue of composition of secure cryptographic proto- 
cols: given two subprotocols that are NDC secure, under which conditions can 
we compose them to get a NDC secure protocol? 




158 



Riccardo Focardi, Roberto Gorrieri, and Fabio Martinelli 



4.1 Most Powerful Enemy 

A serious obstacle to the widespread use of NDC is the universal quantification 
over all admissible enemies. While the proof that a protocol is not NDC can be 
naturally given by exhibiting an enemy that breaks the semantic equality, much 
harder seems the proof that a protocol is indeed NDC, as it requires an infinity 
of equivalence checks, one for each admissible enemy. One reasonable way out 
could be to study if there is an attacker that is more powerful (with respect to 
the chosen behavioural semantics) than all the others, so that one can reduce 
the infinity of checks to just one, albeit huge, check with respect to such a most 
powerful enemy. 

We will say that a preorder <l is a pre-congruence (w.r.t. the operator if 
for every P,Q, R G S if Q <\ R then P \\q Q < P |1^ R. Thus it is easy to prove 
the following [37]. 

Proposition 2. If <J is a pre-congruence and if there exists a process Top G Cfl 
such that for every process X G E'q we have X <\T op, then: 

P G NDC^ iff P II Top <\ P\C ■ 

c 

Proof. (<J=) By the hypothesis that <\ is a pre-congruence, we have that X <1 X' 
implies P||(^A<|P||^A'. Thus, if for every process X G Sfl we have X <\Top, 
then we will also have P \\^ X <i P ||^ Top for every process X G , and so, as 
by hypothesis P |1^ Top <1 P\C, we obtain P \\q X <i P Top < P\C, i.e., P is 
NDC^. 

(=J>) By definition of NDC<j, since Top G ■ 

If the hypotheses of the proposition above hold, then it is sufficient to check that 
P\C is equivalent to P composed to the most powerful enemy Top. 

We also have the following corollary for the congruence induced by O, which 
essentially clarifies that NDC is requiring that P under the attack of the most 
powerful enemy is equivalent to P under the attack of the less powerful enemy, 
as well as to P in isolation. 

Corollary 1. Let <\ be a pre- congruence and let «= < fl <l“^. If there exist 
two processes Bot,Top G Sq’ such that for every process X G we have 
Bot <\ X < Top then 

P G NDC- iff P II Bot « P II Top « P\C ■ 

c c 

Given these very general results, one may wonder if it is possible to apply them to 
some of the semantics we have described in Section 3.3. Indeed, this is the case, at 
least for the trace preorder <trace, which is a pre-congruence (cf Proposition 1). 

The easy part is to identify the minimal element Bot in £q’ w.r.t. <trace- it 
is clear that the minimum set of traces is the empty-set, that is generated, e.g., 
by process 0. As a matter of fact, T Hj;;; 0 « P\C, for most equivalences «. 
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Let us now try to identify the top element Top in w.r.t. <trace- A “most 
powerful enemy” can be defined by using a family of processes each 

representing the instance of the enemy with knowledge (j): 

ToPt^ace = 2^ CVm).T0PtZce + 2^ Cm.ToPt^^ce 

c e c c e C 

m e Msg{c) m e T>((p) Pi Msg{c) 

The “initial element” of the family is Topf^^^^ as (pi is the initial knowledge. Note 
that it may accept any input message, to be bound to the variable x which is 
then added to the knowledge set pU{x}, and may output only messages that can 
transit on the channel c and that are deducible from the current knowledge set 
p via the deduction function T>. Note also that r summands are not considered, 
as inessential for the trace preorder. The following holds. 

Proposition 3. If X G E^ then X <trace ToPtftce- 

Proof. We prove that TZ = {{X' ,Topfp^^2) I X' is a derivative of X,X' G Eq} 
is a (weak) simulation relation [38] containing the pair {X ,Top'[pf^2) . As the 
simulation preorder is finer than the trace preorder, the thesis follows. There are 
three possible cases. 

- X' X" with c G C , m G Msg{c), X" G Eq and p” = p' U {m}. Then, 
Topffte Top^ptce is derivable, and the pair {X” ,Top^ptce) G 

- X' X" with c G C , m G Msg{c) U ^{p) and so X" G Eq . Then, 

Top'f^^ce is derivable, and the pair (X", Top^’^^g) G TZ. 

- X' — ^ X" , hence X" G Eq . Then, Top'fpf^^ Top^p^^g^ is derivable, and 

the pair {X” ,T op^ptce ) GTZ. ■ 

So, we have proved that there exists a top of the set Ep with respect to <trace 
and it is indeed Topfp^fg. Now we want to prove that the single check against 
the top element is enough to ensure NDC. 

Corollary 2. Let P be a CryptoSPA protocol. We have that P G NDCp iff 
P\\QTopfptL^traceP\C. 

Proof. By Corollary 1, it is enough to observe that ~trace is a precongruence (cf 
Proposition 1 ) and that the top element is T opfp^fg . ■ 

It is interesting to observe that Top^p^fg is the top element also for other 
behavioural preorders, namely the simulation preorder [38] and the barbed pre- 
congruence [40]. Hence the theory above can be rephrased also for these obser- 
vational semantics. 

On the other hand, for weak bisimulation semantics it seems that no (man- 
ageable) mpe exist. Hence, in order to avoid the universal quantification we have 
to follow an alternative strategy, that is the subject of the next subsection. 
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Finally, observe that even if we have removed the universal quantification, 
we are not yet in the condition of easy verification of protocols because the mpe 
is in general an infinite state system. In order to perform an efficient verification, 
we need to adopt the strategy illustrated in the next subsection, using however 
a symbolic semantics (this is outside the scope of the current presentation). 



4.2 Static Characterization of NDC 



In this section we develop for NDC an alternative strategy to avoid the univer- 
sal quantification over all the admissible enemies. The idea is based on a static 
characterization for NDC in the setting of SPA [17,19], according to which NDC 
is proved to coincide with another non interference property called Strong Non- 
deterministic Non-Interference {SNNI for short). 

A SPA process P is SNNI if P\H, where no high level activity is allowed, 
behaves like system P where all the high level activities are hidden (i.e., trans- 
formed into internal r actions). To express this second system, we need to intro- 
duce first the hiding operator P/ L (where L is an arbitrary subset of C), which 
is defined by means of the following rules. 



P 

p - 



p' 



(a^LUL) 



> P'/L 

P' a G LUL 
P/L P'/L 



( 1 ) 



Now we are ready to define the property for SPA as follows: P G SNNI if and 
only if we have P\H ~trace P/H . It is rather intuitive to see that P/H can be 
seen as (P || Top)\H, where Top is the top element of the trace preorder for SPA; 
hence, such a static characterization is somehow a corollary of the existence of a 
top element in the trace preorder (together with the fact that the trace preorder 
is a precongruence). 

The main goal of this section is to show that such a result is translatable 
to CryptoSPA, with the proviso of handling the (initial) secrets properly. To 
this aim we first introduce a properly enhanced definition of the hiding operator 

for CryptoSPA that will allow us to define the non interference property 
SNNI^, and then to prove that NDCq is the same as SNNI^. 



P 



P' 



p/4,C p' /<t>C 



(a^CUC) 



P 



P 



P' cGCUC niGMsg{c) (j)' = (j)U{m} 
Pf^C P' /<f’'c 

P' cGCUC mGV{(j)) mGMsg{c) 
P/'^C P' /'^C 



c(m) 



(2) 



We are now ready to define the family of SNNIq properties, parametrized on 
the behavioural semantics «. 
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Definition 6. A process P is SNNI^ if P\C « Pj'^C. 

As for NDC, we will prefix SNNI with a letter characterizing the actual equiv- 
alence « we are considering; so, we will have SNNI for trace, but BSNNI for 
weak bisimulation. When the chosen behavioural semantics « is actually ~tracei 
we have the following results. 

Proposition 4. If 4>' Q (j) then SNNI^ C SNNI^ . 

Proof. Let P be a SNNI^ process. In order to prove that P G SNNIq , we 
have to check that P\C ^trace P/^ C> if P\C ^trace Pf'i’C. The thesis follows 
by observing that Tr{P\C) C Tr{P/i’’ C) C Tr{P/'i‘C). ■ 

Proposition 5. P G NDC^ iff P& SNNI^. 

Proof. If P G NDCq, then by Corollary 2 we have P \\(uTopfff!f^g ^trace P\C. 
Hence, the thesis holds if P ^trace P/'^’C. We actually prove such 

an equality for the simulation equivalence x [38], an equivalence which is finer 
than trace equivalence. To this aim, we prove that the following two relations are 
(weak) simulations. 



n, = {{P'\\Top^;tL,P'/^'c) I 

c 

p' II Top^ftce is a derivative of P \\ Top^fte} 
c c 

and 



7^2 = {(P7‘^'C,P' II Topfft’ce) I is a derivative of P/i^C} 

c 

Let us start with IZi . We have the following three cases. 

- P' WcTop^fL ^ P" WcTopffL with a^CCC. Then, P' /^' C ^ P"/^'C 
and (P" 17 Tophi',, P'V^'C) G Pi. 

- P' 17 ^ P" 17 as P' ^ P" and Topf^e Topf£l 

Hence, c G C , m G Msg{c), </>" = ([' U {to}. Then, it is derivable P' / 
Pc ^ P"/^"C and (P" 17 Topf;£,P"/^"C) G Pi. 

- P'WcTopffi, 



p" Wc'^opffte as P' 'Pip P" and Top\ 



,/ c(m) 



c,p 



Tor/i’^i’' 

^ ^Ptrace ’ 



Hence, c G C , m G Msg{c), and to G T>{<[>'). Then, it is derivable P' / 
Pc Pg P” [Pc and (P" 1 7 Tophi',, P'V^'C) G Pi. 

Analogously for relation IZ 2 ■ ■ 



A consequence of the proposition above is that one may wonder why we should be 
interested to SNNIq as, after all, it is equivalent to NDCq. There are some good 
reasons of interest for SNNIq. First, even in the case of trace semantics, SNNIq 
is of interest because it may lead to more efficient analysis, e.g., it is easier to 
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formulate in a symbolic way. Second, it helps the formulation of compositionality 
principle, as we will see in the following. Third, the new characterization does 
not consider explicitly the notion of (admissible) enemy, while it considers only 
the set of (initial) secrets. Hence, it is definable also for those preorders that do 
not admit the top element (most powerful enemy mpe). 

This last comment deserves more explanation. Assume we want to prove 
that P satisfies BNDC] this may be useful, e.g., for security properties that 
need some form of liveness (e.g., non repudiation). Hence in order to avoid the 
universal quantification, we can try to prove that P satisfies the finer property 
of SBSNNI^, that requires that BSNNIq holds for all the derivatives of P. 
In this way, as the state space of P is (usually) finite, we have removed the 
infinity of checks that BNDC requires in favour of a finite number (one for 
each derivative of P) of BSNNIq checks. A recent paper [7] has independently 
proposed this approach and shown how to efficiently prove SBSNNIq by means 
of a new, equivalent property (called P J3N DC) that needs not to be verified 
on all the derivatives of P. 

4.3 Compositionality 

In this section we illustrate a compositional proof method for SNNIq, origi- 
nally introduced in [29]. Within the SPA theory, SNNI is compositional, i.e. 
if P, Q G SNNI then P\\Q G SNNI. Unfortunately, the same does not hold 
when considering enemies with limited knowledge, as for SNNI^. For instance, 
consider the processes: 



P = cirm.C2{x)[x = m2].czm2 
Q = cIm2.C2{x)[x = miJ.piTOi 

Now, assuming C = {ci,C 2 } and </> = 0, we have that P,Q G SNNlf.] indeed, 
P\C is equivalent to 0, as well as P/'f’C (it can perform two r’s and then stop). 
However, P\\Q ^ SNNI"^ . As a matter of fact, P [[(^^ Q is equivalent to 0, while 
(P II Q)('^C may perform both csWi and 037712 . 

However, if we strengthen the assumptions we can get a compositional rule 
for establishing that a process belongs to SNNI^. The stability assumption we 
make is that the process cannot increment its knowledge. 

Definition 7. We say that a process P is stable w.r.t. (f), whenever if P /‘I’ C => 
P'/’f>'C then V{4))=V{(j)'). 

Thus, the following proposition holds. 

Proposition 6. Assume that P,Q G SNNI^ and that P,Q are stable w.r.t. </>. 
Then (P || Q) G SNNI^, and P || Q is stable w.r.t. 4>. 

Example 6. We consider a simple example of the application of the principle 
above. Consider the processes P = c{m}fe.O and Q = clx.[x k \~dec z]t. Con- 
sider also the process KEN' = c!x.[x = m\.publicm. Assuming <f> = {{m}k} 
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and C = {c}, we can establish that P, Q, KEN' G SNNI^ and are all stable; 
hence P || Q || KEN' G SNNI^, which means that P\\Q keeps m secret. As a 
matter of fact, (P || Q || KEN')\C 

~irace 0- 

Considering bisimulation semantics, it is not difficult to see that the compo- 
sitionality principle above scales to SBSNNI^. 

Proposition 7. Assume that P,Q G SBSNNI^ and that P, Q are stable w.r.t. 
4>. Then P\\Q G SBSNNIq and P\\Q is stable w.r.t. 4>. 

5 A General Schema for Security Properties 

In this section we formally define the GNDC^ family of properties. The proposed 
family of security property is the following"^: 

Definition 8. Let P G £ be a CryptoSPA process. We say that 

P G GNDC^°^ iff VA G £^' : j{P) |1 A < a{P) 

c 

where <] G £ y. £ is a relation between processes, ^ : £c ^ £ is a decoration 
function and a : £ ^ £ is a function between processes. ■ 

We propose a sufficient criterion for a static characterization (i.e. not involving 
the universal quantifier V) of GNDG'ff°‘ properties. 

Proposition 8. // < is a pre- congruence w.r.t. ||p and if there exists a process 
Top G £p such that for every process X G £q’ we have X <l Top, then: 

P G GNDGf^°‘ iff 7 (P) II Top <J a{P) ■ 

c 

In particular, if the hypotheses of the proposition above hold then it is sufficient 
to check that a{P) is satisfied when P is composed with the most general (i.e., 
most powerful) environment Top. The proposition above is a generalization to 
GNDC of Proposition 3. The following corollary for the congruence induced by 
<1, generalizes Corollary 2: 

Corollary 3. Let <i be a pre- congruence w. r.t. lie and let «= < no ^ . // there 
exist two processes Bot,Top G £q' such that for every process X G £q' we have 
Bot <\ X <iTop then 

P G GNDGfj'^ iff 7 (P) II Bot « 7 (P) || Top « a(P) ■ 

c c 



Indeed GNDC depends on the set £q' , hence on fi and C, but we will omit them 
for the sake of readability. 
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5.1 Compositionality 

We have a compositionality principle for the GNDC^’^ schema, also in this 
case under the assumption that the involved processes are stable. It basically 
states that security properties, represented as specification processes ai{Pi) i = 
1,2, can be composed resulting in the property represented by the composition of 
the specification processes o;i(Pi) || a2(^2)- As far as decorations are concerned, 
we assume that the compound process Pi \\ P 2 is decorated componentwise, hence 
below we omit the explicit mention to 7s functions. 

Proposition 9. Given the set of initial knowledge (f> and the set of public chan- 
nels G, assume Pi G GNDGf'^^'K with i = 1,2, and P\,P 2 are stable w.r.t. 6. 

^trace ' 

It follows that {Pi II P 2 ) G GNDGff{^^^^ '' “2(^2) y p^ stable w.r.t. 4>. 



Example 7. Consider the following family of processes S{i), each sending a mes- 
sage {mi,i) after every time unit: 

S{i) = [{mi, i) pkA \~enc z].cz.S{i + 1)) 

Consider also a family of receivers of this kind: 

R{i) = c{y)[y pk^^ \~dec t][t \~snd t 2 ][t 2 = i][t \~fst ti]outti.R{i 1) 

Basically, we have that (5'(0) || i?(0))\C, where G = {c}, is trace included into 
Spec{0) where 

Spec{i) = outmi.Spec{i 1) 

Consider (j) = {{{mi,i)}pk^ I 0 < i} U {pA:^} as the intruder’s knowledge set. 
Then, we have that S'(O) and R{0) are stable w.r.t. 4> and S'(O) G NDGq, with 
S'(0)\C =trace 0, and i?(0) G GN By Proposition 9, we have that 

(5(0) II i?(0) II Topf;L)\G 

^trace Q II Spec{0) 

^trace Spec{0) 



5.2 Non-deducibility on Compositions 

Since GNDGff°" is a generalization of NDC it can be instantiated in order 
to obtain NDC and also the bisimulation based NDC, called BNDC. Let Idc 
be the identical decoration function. Then, NDC and BNDC correspond to 
GNDCl^f^’^'^^ and GNDCL'i^'^'^^ , respectively. 

'^trace '^btstm ' 

For NDC it is also possible to apply Corollary 3 obtaining an interesting 
static characterization. 

Proposition 10. P IS NDC iff PWcTopfftL ^trace P \ C ■ H 

This result is the analogous of the one in [17], for multilevel security. Note that 
here we have found it as a particular case of the more general result of Corollary 3. 
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5.3 The Agreement Property 

In this section we show that also the approach proposed in [33] for the analysis 
of authentication properties, inside the framework of CSP [31] process algebra, 
can be rephrased in terms of our specification schema. Agreement is a formal- 
ization, in the CSP calculus, of the correspondence idea proposed in [45], and 
previously discussed in section 1.3. The basic idea of the Agreement property is 
the following: 

“A protocol guarantees to a responder B Agreement with an initiator A 
on a set of data items ds if, whenever B (acting as responder) completes 
a run of the protocol, apparently with initiator A, then A has previ- 
ously been running the protocol, apparently with B, and A was acting 
as initiator in her run, and the two agents agreed on the data values cor- 
responding to all the variables in ds, and each such run of B corresponds 
to a unique run of A” . 

What is technically done in the Agreement property is to have for each party an 
action representing the running of the protocol and another one representing the 
completion of it. For example, consider an action commit jres{B, A, d) represent- 
ing a correct termination of B as a responder that is convinced to communicate 
with A and agrees on data in d. Moreover we have an action running Sni{A, B, d) 
that represents the fact that A is running the protocol as initiator, apparently 
with B and with data d. If we have these two actions specified in the proto- 
col, the Agreement property requires that when B executes commit jres{B, A, d) 
then A has previously executed running -ini{A, B , d) . This means that every 
time B completes the protocol with A convinced that the relevant data are the 
ones represented by d, then A must have been running the protocol with B using 
exactly the data in d. 

We can see the actions representing the runs and the commits as output 
actions over two particular channels running Sni and commit jres. In [33], it is 
assumed that the actions representing the runs and the commits are correctly 
specified in the protocol. Here, we consider protocols of the form: 

P = Ci(c/i, c/(, di) 11 . . . ]] c„(c/„, [/;, d„) 11 vr(z,,z[) 11 ... II z;) 

Where each claimant process Ci{Ui,U[, di) and each verifier process VfifiZi, Z'fi) 
are all sequential processes, i.e., processes composed only of sequences of actions, 
and represent user Ui willing to authenticate with user U[, agreeing on data di, 
and user Zi verifying the identity of user Z[, agreeing on data contained in 
variable yi . Given this specific (but reasonable) protocol form, we can easily give 
a decoration ')Agree{P) as follows: 



lAgreei.P) = running . ini {Ui,U[, di) ,Ci{Ui,U[, di) \\ .. . 

II running Ani {Un, U'^,dn)-Cn{Un, U'^,dn) 

l|Gi(Zi,z(,d;)||...||i4(z„,z;,d'„) 
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where Vi is the process Vi in which 0 is replaced by commitjres {Zi, yi), i.e., 
it terminates with action commit jres {Zi^ Z[,yi). 

Now that we have defined how to decorate a protocol, we need to specify 
which are the good behaviours ot{P), of a process P. For simplicity, we only 
analyze the case where A is the initiator and B is the responder, and the set ds 
of variables is composed only by d which can assume values in a set D. However, 
the specification can be easily extended in order to cover all the cases studied in 
[33]. Function a{P) can be defined as follows: 

P' 

P"{x,y) 

O^Agree{P) 

Given P, a{P) represents the most general system which satisfies the agreement 
property and has the same sort as P. As a matter of fact in a{P) the action 
running dni {A, B , d) always precedes commit jres{B, A, d) for every datum d, 
and every combination of the other actions of P can be executed. In order to 
analyze more than one session, it is sufficient to consider an extended a which 
has several processes P”{A,B) in parallel. For example, for n sessions we can 
consider the following: 



rji S ort{P)\{running -ini, commit ^res} ,A4 

= running Jni {x, y, d) 

= P'\\P"{A,B) 



commitjres {y, x, d) 



aAgreeiP)=P'\\P"iA,B)\\...\\P"{A,B) 

n 

We want that even in the presence of an hostile process X, P does not execute 
traces that are not in a{P) ,i.e., we require that P \\qX <trace oi{P). So we can 
give the following definition: 

Definition 9. P satisfies Agreement iff P is q]^ . ■ 

Example 8. Consider once more the protocol first presented in Example 1. It 
can be easily written in the form discussed above as follows: 

P = C{A,B,K,)\\V^{B,A) 

C{a, b,k) = c {fc, a}K-0 
V{b,a) = c{y).[{y,K) h^ec ■»][«; h/s* z].0 

Notice that V^{B,A) specifies z as the variable which should contain the datum 
the processes are willing to agree on, i.e., the session key Ks- Now we have that 

lAgree{P) = running jini {A,B,Ks).c{Ks,A}kA 

II c{y)\{y,K) ^ dec icJlw \-fst z\.commitjres {B, A, z) 

It is possible to prove that VA G : ^Agree{P) \\c^ <trace OCAgree{P), i-G., 
that P G jf ^ ^ A However, as noticed in Section 1.3, 

this protocol is flawed when more the one session is considered. Two sessions 
of P can be modelled by just replicating P twice, i.e., by considering P|| P. 
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Now let X = c{w) .c (w) .c (w) be the enemy that intercepts the message sent 
over c and replays it twice. It is easy to see that Tr{'^Agree{P \\ P) \\c = 

{running-ini {A, B, Ks). commit -res {B, A, Kg), commit -res {B, A, Kg)} that is 
not included in Tr{aAgree{P II P)), as the second commit is not matched by any 
running action. ■ 

Note that in [33] it is only required that Agreement holds when the system is 
composed with a particular intruder, which turns out to be equivalent to the most 
general one. In the following we exploit Proposition 8 in order to formally prove 
that such a (static) requirement is indeed sufficient (and necessary) to guarantee 
our GNDC-hased version of Agreement. As a matter of fact, by Propositions 3 
and 8 we immediately have the following result: 

Proposition 11. P satisfies Agreement iff it holds jAgreeiP) <trace 

C^Agree{Pfi B 

In [33], other versions of Agreement are defined. We can rephrase all of them in 
our model by simply changing the a function®. 

5.4 Message- Oriented Authentication 

Now, we consider the message-based approach to authentication defined in [43,42] 
using the CSP language. The idea is to observe when a set of messages T authen- 
ticates another set of messages R. Informally, T authenticates R if the occurrence 
of some element of T implies the occurrence of some element of R (it is required 
that T and R are disjoint). When a system P satisfies this property we say that 
P satisfies T authenticates R. 

In [43] the net is represented by a process Medium which acts like a router 
by receiving and forwarding the messages to the correct process. In CSP, it is 
possible to observe the communication between the processes and the medium 
since they are not “internalized” as in CCS. However, we can simulate this by 
assuming that the Medium echoes every routing of messages through particular 
output actions on two reserved channels send and rev which do not belong to 
C. Action send{i,m) corresponds to the sending of message m performed by 
agent i and, symmetrically, rev (t, m) represents the reception of it by agent 
i. (We assume to have a set Agents of agent identities with X denoting the 
intruder identity). In this way we can observe communication as done in CSP. 
This message echoing is obtained by suitably decorating the specification as 
follows: 

lauth{P) = (-P[/] II Medium) \ W 

Medium = .send (f, x) .{M edium || clcv x.rcv (j, x).0) 

c^C.,i,jG Agents 

® Indeed, recentness cannot be immediately rephrased in our CCS-based model, be- 
cause of the difference in handling communication with respect to CSP. This conld 
be overcome by extending onr langnage with time as done in [21,29]. This is only 
related to the differences in the model, and is not caused by a weakness of onr 
schema. 
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where / is a relabelling function that maps all the output actions c(m), per- 
formed by agent z, into (m) and all the input actions c(m), performed by 
agent i, into Moreover, W = {c* \ i^ X and * = send, rev}, i.e., W 

is the set of all the Medium channels that are not used to communicate with 
the intruder X. This relabelling has the effect of forcing all the communication 
through the Medium, which can consequently make observable every message 
exchange through the special channels send and rev. Notice that messages are 
buffered so that the Medium is always ready to “route” new messages. 

Sets T and R range over these reserved actions. We can now define the 
O'auth'^i.P) function as follows: 



O^auth'^iP) = P' 

P — (X/ a e Act 

a ^ RUT 



l.P') +Yl,a^ Act 0--P" 



Process ctauth'^iP) can execute actions in T only after it has executed some 
actions in R. This can be seen by noticing that moves to P" (which 

can execute also actions in T) only after it performs at least one action in R. 
This is exactly what we require by our system P and is indeed the 

most general system (with the same sort as P) satisfying T authenticates R. 
So we can give the following definition: 

lauth i^auth'P 

Definition 10. P satisfies T authenticates R iff P is GNDC^^ ^ ■ 

As in the section above, we can prove that the approach followed in [43], where 
it is considered only the most powerful intruder, guarantees that the property 
holds in the presence of whatever hostile process. By Propositions 3 and 8 we 
obtain that: 

Proposition 12. P satisfies T authenticates R iff jauthiP) lie PoP^rtL 
"fiitrace O-authfJyP) ■ ® 



5.5 Secrecy 

In this section we show that NDC can be easily adapted for analysing secrecy 
in networks. Consider now a protocol P{M) and assume that we want to verify 
if P{M) preserves the secrecy of message M. This can be done by proving that 
every enemy which does not know message M , cannot learn it by interacting 
with P{M). Thus, we need a mechanism that notifies whenever an enemy is 
learning M . We implement it through a simple process called knowledge notifier 
which reads from a public channel Ck & C \ sort{P{M)) not used in P{M) and 

® We are implicitly assuming that channels with subscripts send and rev are not nsed 
in protocol specification. This assumption is trivially met by a syntactical renaming 
of channels. We are also assuming that every agent has a uniqne name i. This is also 
done in [43] and will be exploited when considering non-repndiation. 
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executes a learnt M action if the read value is exactly equal to M. For a generic 
message to, it can be defined as follows: 



KN{m) = Ck{y) .[m = y]learnt m 



We assume that learnt is a special channel that is never used by protocols and 
is not public, i.e., learnt ^ sort{P) U C. We now decorate P{m) as follows: 

lsecret{P{m)) = P{m) || K N (m) 



Intuitively, ^aecret{P{m)) is a modified protocol where the learning of to is now 
notified. To guarantee the secrecy of to, it is enough to require that for every 
secret M and for every enemy X, process {jsecret{P{M)) || Jf)\C never executes 
a learnt M action. On the one hand, if {'jsecret{P{^)) || -^)\C' executes learnt M 
then M has been sent over the public channel by either P{M) or X. In both 
cases the message is not secret anymore. In the former situation P{M) is making 
M public, while in the latter X has for sure learned M before sending it over 
Cfc. On the other hand, if an enemy X is able to learn message M then there 
also exists an enemy X' that will send such a message over channel Ck and thus 
{lsecret{P{M)) || -^0 \ P' eventually execute learnt M. 

This can be formalized by considering a simple function agecret that can 
execute all the protocol actions but the special action learnt: 



^secret{P) — P Op 



Sort(P),M 

trace 



Definition 11. P{m) preserves the secrecy of m iff for all (secret) messages 
M gM\ V{4>i) P{M) is ■ 

Notice that asecret{P{M)) never executes action learnt, thus forbidding its ex- 
ecution even when every possible intruder is considered. 

An Example. In this section we show through a simple example how the NDC- 
based secrecy verification works. We consider a simplified version of the Wide 
Mouthed Frog Protocol [9] . 

Consider two processes A and B respectively sharing keys kAS and kss with 
a trusted server S. In order to establish a secure channel with B, A sends a fresh 
key kAB encrypted with kAS to the server S. Then, the server decrypts the key 
and forwards it to B, this time encrypted with kss- Now B has the key kAB and 
A can send a message to^ encrypted with kAB to B. The protocol is composed 
of the following three messages (see also Figure 5): 

message 1 A ^ S : A, B, {kABjkAs 

message 2 S ^ B : {A, fcAsIfess 

message 3 A ^ B : {niA}kAB 

The main differences with respect to the original protocol is that here messages 1 
and 2 do not contain timestamps (as studied in [2] for authentication). Moreover, 
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Fig. 5. Graphical description of the WMF protocol. 



in message 1 the identifier B is sent as plaintext while in the original protocol it 
is encrypted with the session key (this modification generates, as we will show, 
a secrecy attack). We specify the protocol as follows"^: 

A{m,k) = c^{{A,B),{k}kAs) 

def 

B = C2{y) . [{y,kBs) ^ dec snd s] Cs{t) . [{t,s) \~dec w] 

S — Cl (x) . \x l~ j st fst snd c] 

[x l~ snd c] [(c, 7^(s)) l~ dec C 2 {(s, ^ 

P{n) = A{n,kAB)\\B\\S 

where K(id) is a function that returns the key shared between the server and 
entity id (e.g., K{A) returns kAs)- Moreover we have that {01,02,03} C C. 
Consider now the following enemy: 



X ci(a;) [x \~snd y] 7, intercepts message 1 

(il{{A,E),y). ’/o replaces B with E, sends it 

C 2 {z) [{z,kEs) ^decW] [wl-gridk]. ’/, intercepts msg 2, obtains k 
C3(j)[(j, fc) hdec w] •/. decrypts msg 3 

cF Tn ’/. sends message to KN 



It is easy to see that process {j secret{P {M)) || X) \ C ^trace asecret{P{M)) as 
the former process can execute learnt M. The attack performed by X is the 
following: 



message 1 A -)> E{S) : A, B, {Kab}kas 

message 1' E{A) S : A,E,{Kab}kas 

message 2' S^E :{A,Kab}kes 

message 3 A—^ B{B) : {M}xab 



^ We encode tuples through a left associative canonical form, e.g., the first message 
A, B,{kAB}kAs becomes {{A, B),{kAB}kAs)- 
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By message 2' the enemy learns Kab and, by message 3 which is addressed to 
B, it finally learns M. 

Consider now the protocol where, in the first message, B is encrypted with 
the session key: 



message 1 S : A, {B, Kab}kas 

Here the secrecy attack is not possible anymore since cryptography protects the 
identifier from being modified by the intruder. 

5.6 Non-repudiation 

In this section, we show that also non-repudiation properties can be formulated 
within the GNDC schema. Non repudiation protocols aim at producing evidence 
about the execution of services, among parties that do not trust each other (see 
[46,47]). 

In [41] Schneider shows how to apply verification methods based on CSP 
process algebra to the analysis of a (fair) non repudiation protocol proposed in 
[46]. Among the non repudiation properties studied in [41,47], we briefly recall: 

— Non Repudiation of Origin (NRO) is intended to protect the receiver from 
the false denial of another party to have sent a message. 

— Non Repudiation of Receipt (NRR) is intended to protect the sender form 
the false denial of another party to have received a message. 

Intuitively, the analysis performed by Schneider is similar to his message based 
authentication (see section above). As an example, consider NRO verification: 
if the receiver is able to produce an evidence of the sending of a certain message 
m, then m should have been sent. In other words, such an evidence should 
“authenticate” m (in the sense of message-based authentication). 

Non-repudiation protocols differ from the protocols discussed so far, which 
always involve communication among two or more trusted parties in an hos- 
tile environment. In non-repudiation protocols, parties do not trust each other, 
and in particular, one of them could try to act maliciously in order to obtain 
some advantage. As we will see, this can be modelled in the GNDC schema by 
considering the malicious party as a whole with the hostile environment. 

In the verification of NRO (NRR) we assume that a Judge should be able 
to establish that a certain message has been sent (received) if he obtains some 
evidence of it from the receiver (sender) . This verification should be carried out 
by only assuming that both the sender and the receiver have not sent on the 
net some secret information which could invalidate the evidence, like, e.g., their 
signature keys. In case of a dispute, the Judge cannot assume that both the 
parties have followed the protocol but she will always assume that none of them 
has compromised his own secret key. 

Schneider models both the sender and the receiver similarly to the most 
general intruder with the constraint that long-term keys are never compromised. 
In order to apply the GNDC schema, we consider a weaker (but still reasonable) 
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notion of NRO; in particular, we require that if the receiver B, after following 
the protocol, is able to give evidence of origin, then the sender A has actually 
sent that message. We call this NRO with honest receiver written NRO hr- It 
can be encoded in the GNDC schema by considering a process Pb where only 
the receiver B and the fragment of A, Ta, related to encryption with long-term 
(secret) keys, are specified. Pb has the following form: 

Pb = II ... II Ta || Bf^Z,, Z[) || . . . || Z'J 

Where each process Bf*{Zi,Z^) is sequential and represent Zi getting the evi- 
dence of origin of the message contained in variable yi sent by user Z'. Given this 
specific (but reasonable) protocol form, we can easily give a decoration jnro(PB) 
as follows: 

lnro{PB) lauth{PB) 

where ^auth is the decoration function defined in section 5.4 for message-oriented 
authentication, and Pb is process Pb in which all the O’s of processes Bf'{Zi, Z') 
are replaced by ev-of -or {Zi, Z[,yi). For instance, action ev-of -or {B, A,m) is 
the action which signals that B has evidence of origin of m from A. This latter 
decoration is similar to the one we used for adding commit actions in Section 5.3. 

Now, recall that in process Medium send{A,m) represents the sending of 
message m by agent A. Then a„ro can be simply defined as a . {e«_o/_or(s,A,m)} . 

{send(A,m)} 

Definition 12. Pb guarantees NROhr iff Pb is 

We show how this definition works through a simple example. 

Example 9. A typical way of guaranteeing non-repudiation of origin, is to use 
digital signature. Consider the message exchange: 

message 1 A^ B : M, signA{M) 

Since only A may generate signA{M), then B is guaranteed that A has origi- 
nated such a message. To see how the formalization of non-repudiation works, 
we consider a flawed version of the protocol above, in which shared key is used 
instead of signature: 



message 1 A ^ B : M, MACk{M) 

K is a, key shared between A and B. The protocol uses a Message Authentication 
Code (MAC), i.e., a keyed hash function such that M ACk{M) can be efficiently 
calculated if and only if the key K is known. A MAC can be modelled in SPA 
by making the inverse key k~^ ^ k not available to both the principals and the 
enemy. This is a simple way of simulating the unidirectionality provided by the 
(one-way) hashing. This protocol does not guarantee non-repudiation since both 
A and B might have generated MACk{M)- We specify B as follows: 

Responded {h, a, k) c{x).[x \~fst i] [x \~snd j] [{*}fe = j]-Q 
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As mentioned above, we also need to model the honest fragment of A, i.e., 
the part of A that deals with long-term keys. Indeed, A can never repudiate a 
message by declaring she has erroneously disclosed her long-term key. It is her 
responsibility to keep keys securely stored. The remaining part of Alice is not 
modelled in order to let her (possibly) behave dishonestly: 

Initiator{a,k) d{x).d{{x}k)-Initiator{a,k) 

Notice that this honest fragment of A uses a new channel d. This channel is 
used to communicate with the intruder which implicitly describes the dishonest 
fragment of A. 

We first consider Pb = Initiator{A, K) || Responder^ {B , A, K), in which A 
and B only play the Initiator and Responder roles, respectively. Since A is the 
only entity which generates messages encrypted with key k, NRO is guaranteed, 
i.e., every action ev-of -or {B, A, j) executed by ')nro{PB) will be preceded by a 
send {A, j) generated by the Medium. Notice that Responder^ {B , A, K) , once 
decorated by 7„ro, executes a evmf-or{B,A,j) only if j is of the form {i\k, 
i.e., only if the MAC is valid. 

To see a potential vulnerability of this protocol it is sufficient to consider two 
parallel sessions with exchanged roles: 

P'b = Initiator {A, K) || Responder^ {B, A, K) || 

Initiator{B,K) || Responder^ {A, B , K) 



Consider now the intruder Xa = (M, x).0, which asks 

one of the initiators to produce a MAC of M and then sends the pair 
(M,MACk{M)) to one of the responders. A non-repudiation problem arises 
when the same entity is producing the MAC and checking it. We show an execu- 
tion sequence where B is convinced to receive a MAC from A but he is actually 
the creator of the MAC. Recall that jnroiPB) introduces the medium Medium 
of section 5.4 in between the communicating parties. 
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The execution trace is: 

send {X, M) , rev {B, M),send {B, {M}K),rcv {X, {M}k), 
send (X, (M, {M}x)), fcF (B, (M, {M}k}), ev^of^or {B, A, {M}k) 

corresponding to the enemy X sending M to B playing the initiator role, B 
responding with {M}k and, finally, X forwarding message {M}k to B playing 
the responder role, who finally executes ev-of-or {B, A, {M}k)- 

Notice that there is no send {A, {M}k) matching the ev-of-or {B, A, {M}k) 
event (indeed A is doing nothing). This is due to the fact that the encrypted 
message {M}k has been generated by B himself (in the Initiator role) at the 
execution step corresponding to send{B,{M}K)- Thus this trace is not a trace 
of anro{P'B), proving that P'^ does not guarantee NRO. ■ 

Analogously, we define non-repudiation of origin with honest sender, i.e., 
NROfis- This property can be encoded in the GNDC schema by simply con- 
sidering process Pa instead of Pb- NRO can be defined as the intersection of 
NROhr and NROhs, i.e., Pa,Pb G 

An analogous definition may be given for weak-NRR, even though the sit- 
uation is slightly more complicated since, in this case, also liveness properties 
should be considered. In fact, it is not necessary that the message has been ef- 
fectively received: it is sufficient to require that the message is “available” for 
reception, through, e.g. , a Trusted Third Party which makes the message down- 
loadable, as proposed in [46]. We do not address this issue in details, since we 
prefer to focus our attention to another property which is also based on liveness. 
The property is fairness [47]: 

— Fairness'. At no point in the protocol run does either of participants have an 
advantage. In other words no one of the party can get his own evidence and 
avoid the other to get his corresponding evidence. 

As observed in [41], this property cannot be defined as a safety property (i.e. 
nothing bad happens). Indeed we have to prove that whenever one of the two 
participants obtains his own evidence, then the other must be in the position to 
get his own evidence too. This can be seen as a liveness property (i.e. something 
good happens). For this reason, in the analysis of this property it is used the 
failure model [31] instead of the trace one. As a matter of fact, failure equivalence 
is actually able to observe potential deadlocks in the executions, and so it permits 
to see if something can be executed or not (i.e., if an evidence can be obtained 
or not). 

The verification technique for the fairness property proposed in [41] directly 
fits in the GNDC schema. Indeed, it is reasonable to assume that an agent 
can require fairness from the other one only in the case he behaves correctly, 
i.e., if it follows the protocol. For example, the fairness for the sender A of 
receiving evidence of message receipt can be defined in the GNDC schema by 
considering a suitable relation < failure which takes into account failures, and 
a function a fair which models the fact that after the receiver gets evidence 
of the origin (ev-of-or) then the sender has the possibility to obtain his own 
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evidence of receipt {ev-of jre). This is modeled in a fair by making the action 
ev-ofjre always executable after that ev-of-or has been engaged. We show how 
this formalization of fairness works, through a simple example. 

Example 10. Consider the following non-repudiation protocol, where Bob re- 
quires non-repudiation of origin and Alice requires non-repudiation of receipt of 
the same message M: 

message 1 A ^ B : B, M, signA^B, M) 

message 2 B ^ A : A, signsiA, M) 

In order for this protocol to be fair, we need to guarantee that whenever Alice 
gets her evidence of receipt, then Bob eventually gets his evidence of origin, 
and vice-versa. If A and B execute the ev-ofjre and ev-of-or actions just after 
checking the received signatures, we easily find out that the protocol does not 
guarantee fairness: it is sufficient for B to quit the protocol session after he 
has received his evidence of origin. This corresponds to an execution trace in 
which ev-of-or is executed but no ev-ofjre is possible after it. This failure in 
executing the latter action is revealed by the failure preorder, and, consequently, 
the attack is captured. We leave the formalization of this example as an exercise 
to the interested reader. ■ 

In [7,8], an extension of the bisimulation-based BNDC property is applied to 
the verification of non-repudiation protocols. 

5.7 Authentication in the Spi-Calculus 

In [2,1] an interesting notion of authentication is proposed. The basic idea is the 
following: consider a protocol P{M), which tries to transmit message M from 
one party (say A) to another one (say B). The authentication of the message 
M is checked by verifying if P{M) is equivalent to a specification PgpedM) 
where M is always delivered correctly. In Pspec{M) the receiver B always knows 
M and whatever happens on the communication channel, B will continue its 
execution exactly as it had received the correct message M. In other words, 
Pspec{M) represents the situation where M is always received and no enemy is 
able to replace it with a different message. If P{M) is equivalent to Pspec{M) 
then also P{M) is clearly able to avoid any possible attack. The language used 
in [2,1] is the spi-calculus. Moreover the may-testing equivalence [11], denoted 
with ~raay, IS used in order to check that P{M) is equivalent to Pspec{M) with 
respect to any possible interaction with the (hostile) environment. The definition 
of authentication in the spi-calculus has the following form: P{M) guarantees 
spi-authentication if and only if for all M we have that 

P{M) ^raay Pspec{M) 

There are many similarities between spi-calculus authentication and NDC: 
both properties are based on a notion of behavioral equivalence; moreover, they 
both check whether the “process under attack” behaves like a secure specifi- 
cation. It is however important to notice that this is done in a quite different 
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Fig. 6. Testers as “observers and attackers” in spi-authentication. 



way. In the spi-calculus the process is implicitly checked against all the possible 
interactions with the (hostile) environment through the use of the may-testing 
equivalence. There, the tester plays simultaneously both the role of the attacker 
and the role of the observer (see Fig. 6). On the other hand, the ADO-based 
approach performs an explicit quantification over all possible intruders, then 
observing the outcome of the attack (see Fig. 7). 

In [20] we have proved that spi-authentication can be equivalently expressed 
as an instance of NDC. To see how this is done it is useful to write a protocol 
in a particular style that we call normal form. We assume that, after delivering 
message M, protocol P{M) executes a continuation process F{M). In general, 
more than one continuation could be present. Given a protocol S, we denote all 
of its occurrences of continuations as {Fi(a;i), . . . ,F„(a;„)}, where Xi represents 
the only free variable of Fi. From S we derive a process Snf{rn\, . . . ^mn) in 
normal form as follows: 



(5' II pFXxi)-Fi{xi))\p (3) 

where S' is the process S where every continuation Fi{xi) is replaced by (x^), 
and p = {pp.^,. . . ,p_F„} is a set of channels that are used neither in S nor in Fi 
and are not contained in C . Note that the channels in p are indexed with the 
continuations Fi. This is useful for managing multiple concurrent sessions be- 
tween senders and receivers which can be modeled by considering n copies of the 
sender and n copies of the receiver in parallel. We assume that syntactically equal 
continuations (up to renaming of bound variables, i.e., a-conversion) correspond 
to the same protocol between two users but in different parallel sessions. 
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Given this particular form for protocols, it is quite natural to derive a secure 
specification. More precisely, given the normal form 5'„/(mi, . . . ,m„) as in (3), 
it is sufficient to define SspecinT-i, ■ ■ • i as follows: 

{S' II Ui(zi,„n pFi{xi).[xi = mi]F^{mi)) \p (4) 

Note that every continuation is enabled only if the received message Xi is equal to 
the correct message rrii. Note also that in the case of multiple sessions, this simply 
requires that a “correct” multiset of messages is delivered from one process to 
another one, in whatever possible order (see the example below in this section). 

We require some reasonable properties of the specification Sgpec- First we 
require that it guarantees NDC, for all vector of messages m. In [20] we prove 
that any specification Sspec guarantees NDC, under the following well-formedness 
condition: 

WFCl For every vector of messages m, 5'gpec(m) \ C f^rnay F7fcei,.„Ffe(mfe) 

This condition is a very natural one as it requires that all the continuations 
of the specifications when there is no attacker at all, are eventually enabled. 
In other words, the specification is well-formed for not containing unreachable 
continuations. If it does, then some useless redundancy is present in Sspec- 
We have an additional well-formedness condition: 

WFC2 For every vector of messages m, 5'(m) \ C ~may «S'spec(m) \ C 

The condition above is an obvious requisite for Sspec- the process S and its spec- 
ification Sspec behave in the same way when the public channels are protected 
through the restriction (i.e., when no attack is possible). 

Let S^ denote the protocol S where continuations are replaced by F'{xi) = 
outp*{xi). These special continuations just send the received messages on the 
observable channels outp*. In [20] it is proved the following result: 
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Theorem 1. Let S be a protocol which guarantees the well-formedness condi- 
tions WFCl and WFC2. Then, S guarantees spi- authentication if and only if 
guarantees NDC, for all m. 



An Example: The Wide Mouthed Frog Protocol. In this section we show 
how to use NDC to analyze a simplified version (also studied in [2]) of the 
Wide Mouthed Frog Protocol [9], we already discussed in Section 5.5. We still 
consider a version of the protocol with no time-stamps, which makes the protocol 
sensitive to a replay attack (as already remarked in [1]). Notice that, differently 
from Section 5.5, in the first message B is encrypted, as required by the original 
protocol. 



message 1 
message 2 
message 3 



A — >■ S' : A, {B, kAB}kAs 
S ^ B : {A, fcAsIfess 
A ^ B : {mA}kAB 



We specify two sessions of the protocol as the following CryptoSPA normal 
form®: 

A(m, k) m (A, {{B, k)}kAs) ■ ^ i'^}k 

def 

B = C2(y) ■ \{y,kBs) \-dec z] [z \~snd s] Cz{t) . [{t, s) \~ dec w] PF W 

S =fci(«) . [(m) 

snd x] [{x,kAs} \~dec y] [y ^snd z] C2 {{A,z)}kBS ' ^ 
P{m, m') (A(m, fc^s) || A{m' , Cab) II S || B || S || pf{z).F{z) || 

\\pf{z).F{z))\pf 



where Ci, C2 and C3 are the three channels over which messages 1,2 and 3 are 
communicated, respectively. Note that we have considered two instances of A 
and B in order to observe the replay attack. If we consider only one instance of 
A and B no attack is possible here. Note also that A has different messages and 
session keys in the two sessions. 

Let us see if the protocol guarantees the well-formedness conditions. First, it 
is easy to see that P(m, m') with no enemy, i.e., P(m, m') \ {01,02,03}, is trace 
equivalent to F(m) || F(m'). This represents the intended execution of the proto- 
col. As a matter of fact the two sessions can be executed in any possible interleav- 
ing. It is also easy to prove that Pspec(m, mO \ {ci, C2, 03} ~trace P(m) || P(m'). 
Thus, we finally have P(m, m')\C ^trace ^}spec(m, m')\C retrace F{m) j| P(m'). 

Since P(m. m') is well-formed, in order to check spi-authentication on it, we 
can verify if (m, m') guarantees APG-authentication. Note that (m, m') 
is obtained from P(m, m') by replacing F{w) with outp w. Note also that in the 
two instances of B the continuation is exactly the same (this allows to model 
multiple sessions). 

® This protocol specification is a bit simplified since there are only two users and the 
possible sessions are fixed in advance. However, this modelling is snfBcient to show 
how the attack can be revealed. 
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We show that (m, m') does not guarantee such a property. Consider 
the enemy X C2{x) x .c^ x .c^{y) y .Ipi y . It is easy to see that P\\qX 
is able to execute the trace outFva.outFva. that is not a trace for process 
out/? m II outF m'. Hence, (m, m') ||(^ X ^trace ouIf Tna\\ ouIf ~trace 
P^ (m, m') \ C and A^PC-authentication is not satisfied. 

The enemy X intercepts messages 2 and 3 and replays them, inducing B to 
commit twice on message m (as shown by trace outF Jxi.outF rn). This attack 
is quite critical in some situations. As an example, m could be a request of 
money transfer that would be executed twice. In order to avoid this attack, it is 
possible to modify the protocol (as done in [2]) by adding nonce-based challenge 
responses. 

6 Some Simple Comparison Results 

In this section, we show that having a uniform treatment of security properties 
make it easier to study the relationships and the differences among them. First, 
we show that NDC may be seen as a sufficient condition for every property 
which is based on trace-preorder. This result is interesting since it relates the 
non-interference property NDC, originally proposed for modeling information 
flow security, to network security properties like, e.g., authentication. The result 
holds for what we will call good candidates for a pair of functions 7, a, i.e., 
processes P such that y(P) \ C <trace ct{P)- This condition is quite reasonable 
since we certainly want that at least the (decorated) protocol under no attacks, 
i.e., 7(P) \ C, “satisfies” a{P). 

Proposition 13 . Let '-j be a decoration function, let a he a function between 
processes and let P he a good candidate for 7,0, i.e., 7(H) \ C <trace oi{P)- 
Then, 'y(P) is NDC implies that P is . 

Proof. The fact that j{P) is NDC can he equivalentely expressed by the fact that 
P is . Then, for every X G Sq we have Idc(x(P)) \\c^ Citrace 

'y{P)\C, i.e., 7(P)||^A <trace l{P)\C‘- By the hypothesis that P is a good 
candidate, i.e., j{P)\C <trace <x{P), we obtain j{P) \\(^ X <trace 'y(P)\C <trace 
a(P) and so P is GNDCf;’^ . ■ 

' ' ^trace 

Note that if a pair 7, a does not have good candidates then it represents an 
empty property (no process satisfies it). 

The result above shows that NDC, required on a process 7(P), is stronger 
than any GNDCff°‘ property, for all the good candidates P. For example, 
lAgreeiP) G N Dclmplies QN and lauth{P) G NDC implies 

GNDC^^^^^^ ”, for their respective good candidates. This is quite intuitive 

since NDC basically requires that the protocol behaviour is completely preserved 
even under attack. So if 7(P) satisfies a certain property under no attacks (i.e., 
it is a good candidate), the fact that 7(H) is NDC will preserve such a property 
under every possible attack. 
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Example 11. Consider once more the protocol first presented in Example 1 writ- 
ten in the form required by the agreement property (Example 8) . 

P = C{A,B,K,)\\V^{B,A) 

C{a, h,k) = c {fc, a^K-^ 

V{b,a) = c{y).[{y,K) \~dec w][w b/st z].Q 



Recall that 



lAgree{P) = runningJui {A,B,Ks).c{Ks,A}k-0 

II c{y).[{y,K) h dec tc][w \-fst z\. commit jres {B, A, z) 

It is trivial to prove that P is a good candidate for ^Agree, ctAgree, i-e., ^Agree{P)\ 
C <trace ocAgree{P)- As a matter of fact the only trace of 'yAgree(P) \ C is 
running Jni (A, B, Kg), commit jres {B, A, Kg). Thus, we can use NDC to check 
the agreement property, i.e., if we prove that 'y(P) is NDC then, by Proposi- 
tion 13, we also have that P G 

It can be checked (e.g., using the tools described in [15]) that 'yAgree(P) is 
NDC whenever K ^ (f>i. However, as noticed in Section 1.3, this protocol is 
flawed when more then one session is considered. As a consequence we have that 
'lAgree{P || P) cannot be NDC (otherwise we would get a contradiction). As done 
in Example 8 we consider an enemy X = c{w) .c (w) .c (w) . It is easy to see that 
trace runningSni{A,B,Kg).commitjres{B,A,Kg). commitzres {B, A, Kg) is 
in the set Tr{'^Agree{P || P) |lc A) but not in Tr{'jAgree{P || P)\C), as the second 
commit is not matched by any running action. So, as expected, ')Agree{P || P) is 
not NDC. m 

In general, we observe that if <l C o' then GNDC2^°" C GN DC'l^^ , furthermore 
if for all P G f we have a(P) O a'{P) and y'(P) O y(P) ® then GNDC)^°‘ C 

GNDCl’^^'. 

As an example, we study the natural extension of secrecy to two messages. 
Consider a protocol P(mi, m2) and let us define two different 7 decoration func- 
tions: 7^ requiring the secrecy of mi and 7^ requiring the secrecy of both the 
messages: 



llecret{P{'mi,m 2 )) = P(mi,m2) ||PrA^(mi) 
lsecret{P{mi,m2)) = P(mi, m2) || K N (mi) || KN{m2) 

It is trivial to see that, for all P(mi,m2) we have 7jg^,,gj(P(mi, m2)) <trace 

7secretiPirni,m2)). Thus we obtain GNDC^2Z‘^’°'‘“^‘'' - GNDC^^ZZ’'^^"^" ’ 
reflecting the intuition that requiring the secrecy of both the messages is stronger 
than requiring the secrecy of the first one only. 

We give another simple example, by considering message-oriented authentica- 
tion. It is easy to prove that (P) <trace ctauth"^' (-^) whenever T >T' and 

® Notice that a and 7 are counter-variant here. 
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R < R' . As a, consequence GNDC. 



'y auth 



lauth.Ot 



<f 



« C GNDC, 



, reflecting 

the intuition that actions in T are executable only after at least one action in R 
has been executed. If we increment the set R, the number of processes satisfying 
message-oriented authentication increases. The same happens when we decrease 
set T, because the actions that are no more in T become direcly executable. 

We end this section by showing how to apply the theory developed so far 
in order to check multiple properties with just one NDC check. We have ob- 
served that enlarging the decoration 7 makes the resulting property stronger, 
i.e., if, for all P, i{P) < 7(F) then GNDCy^°‘ C GNDCl’°'. Thus, given 
two different properties characterized by the pairs (71,01) and (72,02)) we can 
try to And a larger 73 that contains both the two decorations, i.e., such that 
7i(P) <1 73(F) and 72(F) < 73(F), for all F. Intuitively, this corresponds to con- 
sidering the sum of the two decorations. By Proposition 13 we directly obtain 
that if 73(F) \ C <trace cn{P) and 73(F) \ C <trace 02(F) then 73(F) is NDC 
implies that F is GNDCZ^'°'^ and GN DCZ^’°''^ . Thus, NDC may be used to 
simultaneously check both the two properties. Notice that, in general, the two 
conditions 73(F) \ C <trace C(i{P) and 73(F) \ C <trace 02(F) are not restric- 
tive, as oi(F) and 02(F) impose restrictions only on the actions added by their 
respective decorations. Thus, e.g., 7i(F)\C' <trace oi(F) should imply that also 

IsiP) \ C <trace Oi(F). 



Example 12. Consider once more the protocol F discussed in Example 11 and 
let us write it as P{Ks), i.e., parametric with respect to the session key. 



P{K,) = C{A,B,K,)\\V^B,A) 

C{a, b,k) = c{k, ajiy.O 
V{b,a) = c{y).[{y,K) \~dec z].{) 



Recall that 



lAgree{P{Ks)) = running Sni {A, B , K g) .c {K A} k 

II c{y).[{y,K) \~dec w][w b/st z].commit-res{B,A,z) 

Suppose that we also want to check whether or not the secrecy of the session 
key is guaranteed. Recall that 



-1secret{P{Ks)) = P{Ks) || KN{Ks) 

Now if we simply consider the new decoration function 

1 A^s{P{K,)) = jAgree(P{K,)) || KN{K,) 

we obtain that ’jAgreei^Pi^Ns)^ iZtrace 'yA&5s{,P{Ns)) and ^secret{P{Ns)) iZtrace 

lAhs{P{Ks)). Intuitively, 'yAhs{P{Ks)) is the sum of the two decorations. Now, 
it is trivial to prove that P{Ks) is still a good candidate for 7^&s, OAgree, be., 
l ASzs{P)\C < trace aAgree {P)- As a m atter of fact the only trace of 'yAScs{P)\C 
is running Ani {A, F, Ks), commit jres (F, A, Kg). For the same reason, it is also 
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trivial to see that P{Ks) is a good candidate for jaSzS, oisecret- Thus, we can use 
NDC to simultaneously check agreement and secrecy. It can be checked (e.g., 
using the tools described in [15]) that ')Ahs{P{Ks)) is NDC whenever K ^ (j>i. 
Thus, for a single session, P{Ks) guarantees both agreement and the secrecy 
of the session key. We have seen that for multiple sessions agreement is not 
guaranteed. As a matter of fact, trying to check NDC on ')Ahs{P{Ks) || P{K'g)) 
fails because of the attack on authentication discussed in Example 11. ■ 



7 Conclusion 

In this paper we have proposed a general scheme, called GNDC, that allows us 
to specify different security properties in a uniform setting. Rephrasing different 
properties in our uniform scheme is interesting from different perspectives: (i) 
it allows to better understand and compare the properties of interest, (ii) it 
allows to reuse general results and proof techniques, {in) it allows to check all 
the rephrased properties as just one NDC check, {iv) since NDC is supported 
by the automated tools CVS/CoSeC [15], the CNDC scheme allows us to apply 
such tools to all the rephrased properties. 

This analysis technique has been applied to many case studies, sometimes 
finding new failures or variant of known failures [14]. 

There are many extensions to the model presented in this paper that have 
already been developed. Extensions with time [21] allow us to detect attacks 
due to timing covert-channels and to analyze real-time cryptographic protocols 
[29]. Extensions with probabilities [3,4] allow us to refine process specification 
in order to detect flaws that are related to event probabilities. The extension 
of probabilistic models to deal with cryptographic protocols is currently under 
development. We are planning to compare our approach with other ones, based 
on different process calculi. Some preliminary results in this direction can be 
found in [30]. An alternative approach based on logical specification of the cor- 
rect behavior and on partial model checking techniques has been proposed in 
[35,36,37]. 
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Abstract. We survey several cryptographic algorithms that provide au- 
thentication and confidentiality for multimedia traffic over the Internet. 
We focus in particular on the problem of authenticating streams of data 
and on the problem of secure multicast, where streamed information is 
sent to a dynamic group of users. 



1 Introduction 

This paper describes various cryptographic algorithms for security of multimedia 
traffic over the Internet. There are several issues that are specific to multimedia 
data. Usually the data takes the form of streams rather than single message units. 
Also the data is usually delivered to large groups of users that might dynamically 
change. Efficiency and scalability are of utmost importance. These issues prevent 
a straightforward application of basic cryptographic tools for authentication and 
confidentiality and often require ad hoc solutions. 

Streams Defined. A stream is a potentially very long (infinite) sequence of 
bits that a sender sends to a receiver. The stream is usually sent at a rate which 
is negotiated between the sender and the receiver or there may be a demand- 
response protocol in which the receiver repeatedly sends requests for additional 
(finite) amount of data. The main feature of streams which distinguish them 
from messages is that the receiver must consume the data it receives at more 
or less the input rate, i.e., it can’t buffer large amounts of unconsumed data. In 
fact in many applications the receiver stores relatively very small amounts of the 
stream. In some cases the sender itself may not store the entire sequence, i.e., 
it may not store the information it has already sent out and it may not know 
anything about the stream much beyond of what it has sent out. 

There are many examples of digital streams. Common examples include dig- 
itized video and audio which is now routinely transported over the Internet and 
also to television viewers via various means, e.g., via direct broadcast satellites 
and very shortly via cable, wireless cable, telephone lines etc. This includes both 
pre-recorded and stored audio/video programming as well as live feeds. Apart 
from audio/video, there are also data feeds (e.g., news feeds, stock market quotes 
etc.) which are best modeled as a stream. 
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Multicast Security. In multicast communication, messages are exchanged 
between members of a potentially dynamic group. In most applications these 
messages are usually streams. The basic secrecy problem is that messages should 
be visible only to legitimate members of the group (e.g. paying subscribers). 
Messages should also be authenticated so that receivers can make sure that 
they have not been tampered with. A more complex problem is that of source 
authentication which should allow the receivers to identify the sender of the 
message among the members of the group. 

2 Cryptographic Preliminaries 

In this section we recall some cryptographic concepts and terminology which will 
be useful later. For a good survey of basic cryptographic algorithms the reader 
is referred to [18]. In the following we denote with n the security parameter. We 
say that a function e(n) is negligible if for all c, there exists an no such that, for 
all n > no, e(n) < 1/n'^. 

Collision-Resistant Hash Functions. Let "H be a family of functions that 
map arbitrarily long binary strings into binary strings of a fixed length k. We 
say that "H is a collision-resistant family of hash functions if any polynomial 
time algorithm who is given as input a description of a random element H £%, 
finds a collision, i.e., a pair {x,y) such that x ^ y and H{x) = H{y), only with 
negligible probability e{k). 

SHA-1 [15] is a conjectured collision-resistant hash functions, i.e., it can be 
thought as a random representative of a family % with the above property. 

Signature Schemes. A signature scheme is a triplet (G, S, V) of probabilistic 
polynomial-time algorithms satisfying the following properties: 

— G is the key generation algorithm. On input 1" it outputs a pair {SK, PK) G 
{0,1}^". SK is called the secret (signing) key and PK is called the public 
(verification) key. 

— S' is the signing algorithm. On input a message M and the secret key SK, 
it outputs a signature a. 

— H is the verification algorithm. For every (PK,SK) = G(l”) and a = 
S{SK, M), it holds that V {PK, a, M) = 1. 

In [10] security for signature schemes is defined in several variants. The strongest 
variant is called “existential unforgeability against adaptively chosen message 
attack” . That is, we require that no efficient algorithm will be able to produce 
a valid signed message, even after seeing several signed messages of its choice. 

One-Time Signatures. A special kind of signature schemes satisfy the [10] 
definition of security only if we allow the adversary to see a limited number of 
signed messages. In particular there exists signature schemes that are secure only 
if used to sign a single message. The main advantage of this type of schemes is 
that they are usually much faster to execute than regular signature schemes. 
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Message Authentication Codes. A message authentication code (MAC) is 
a pair (Auth,Ver) of probabilistic polynomial-time algorithms satisfying the 
following properties: 

— Auth is the authenticating algorithm. On input a message M and the secret 
key K G {0, 1}”, it outputs a tag r. 

— Ver is the verification algorithm. For every K G {0, 1}” and r = Auth{K, M), 
it holds that Ver{K,r, M) = 1. 

Security for MACs can be defined analogously to signature schemes. That is, we 
require that no efficient algorithm will be able to produce a valid authenticated 
message, even after seeing several signed messages of its choice, without knowing 
the key K which is selected at random from {0, 1}". 

The main difference between MACs and Signature Schemes is that the latter 
provide non-repudiation, i.e. the receiver can prove to a third party that the 
message originated with the sender (the owner of the secret key). This is not 
possible for MACs since both sender and receiver share the secret key. MACs 
are usually much more efficient algorithms than digital signatures. 

Public-Key Encryption. A public key encryption scheme is a triplet (G, E, D) 
of probabilistic polynomial-time algorithms satisfying the following properties: 

— G is the key generation algorithm. On input 1" it outputs a pair {SK, PK) G 
{0,1}^”. S' A is called the secret (decryption) key and PK is called the public 
(encryption) key. 

— A is the encryption algorithm. On input a message M and the public key 
PK, it outputs a ciphertext c. 

— A is the decryption algorithm. For every (PK,SK) = G(l”) and c = 
E{PK, M), it holds that D{SK, c) = M. 

There are several levels of security for encryption schemes, depending if the 
attacker is active or passive. For the purpose of this paper we will stick to 
the lowest level of security: indistinguishability. The requirement is that the 
ciphertext space of a message M should be computationally indistinguishable 
from the ciphertext space of a different message M' . Basically it requires a 
randomized encryption algorithm so that given a ciphertext c and a candidate 
message M, the attacker cannot verify if c is an encryption of M or not. 

Private-Key Encryption. A private-key encryption scheme is a pair {Enc, 
Dec) of probabilistic polynomial-time algorithms satisfying the following prop- 
erties: 

— Enc is the encryption algorithm. On input a message M and the secret key 
K G {0, 1}", it outputs a ciphertext c. 

— Dec is the decryption algorithm. For every K G {0, 1}" and c = Enc{K, M), 
it holds that Dec{K, c) = M. 

Security for private-key encryption schemes can be defined analogously to public- 
key schemes. Private-key encryption schemes are more efficient in practice, but 
they require sender and receiver to agree on a secret key in advance. 
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Commitment Schemes. Commitment schemes simulate the role of envelopes. 
A commitment scheme is a protocol between a Sender and a Receiver. In a first 
phase, the Sender who commits to a message m, and the Receiver engage in an 
exchange of messages, at the end of which the Receiver has no idea what m is. 
This first phase is followed by a revealing phase in which the Sender opens the 
commitment to produce a decommitment string d, which includes the message 
m and a sort of “proof” that m is the correct value. There should be a unique 
way in which a Sender can open a commitment (i.e. the first phase committed 
the Sender to m). 

We limit ourselves to non-interactive commitment schemes, i.e. those in which 
commitment and reveal phase consist of a single message from the Sender to 
the Receiver. Thus a commitment scheme consists of a pair of probabilistic 
polynomial-time algorithms Comm, Decomm such that: 

(1) Decomm{Comm{m)) = m; 

(2) the random variable Comm{m) should be computationally indistinguishable 
Comm{m') for a different message m'; 

(3) it is computationally infeasible to generate a commitment string c and two 
valid decommit strings d ^ d' such that d and d' include respectively different 
messages m ^ m' . 

3 How to Authenticate or Sign Digital Streams 

If we go back to the definition of streams, it becomes clear that message-oriented 
signature schemes cannot be directly used to sign streams since the receiver 
cannot be expected to receive the entire stream before verifying the signature. If 
a stream is infinitely long (e.g., the 24-hours news channel), then it is impossible 
for the receiver to receive the entire stream and even if a stream is finite but 
long the receiver would have to violate the constraint that the stream needs to 
be consumed at roughly the input rate and without delay. 

3.1 Simple Authentication of Streams 

Notice that if the receiver were only interested in establishing the identity of the 
sender, a solution based on MACs would suffice. Indeed, once the sender and 
receiver share a secret key, the stream could be authenticated block by block 
using a MAC computation on it. Since MACs are usually faster than signatures 
to compute and verify, this solution would fit the bill in terms of efficiency as 
well. 

However, a MAC-based approach would not enjoy the non-repudiation prop- 
erty. In this section we are going to describe a scheme which achieves non- 
repudiation. In order for this property to be meaningful in the context of streams 
we need to require that each prefix of the stream to be non-repudiable. That is, 
if the stream is B = Bi, B 2 , ■■ ■ where each Bi is a block, we require that each 
prefix Bi = Bi . . . Bi he non-repudiable. This rules out a solution in which the 
sender just attaches a MAC to each block and then signs the whole stream at 
the end. 
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This is to prevent the sender from interrupting the transmission of the stream 
before the non-repudiability property is achieved. Also it is a guarantee for the 
receiver. Consider indeed the following scenario: the receiver notices that the 
stream she is downloading is producing damages to her machine (streams can also 
model Java applets). She interrupts the transfer in order to limit the damage, but 
at the same time she still wants some proof to bring to court that the substream 
downloaded so far did indeed come from the sender. 

In general non-repudiation is crucial when the stream is being sold as an 
electronic merchandise. With the advent of music and video distribution over the 
internet, it is clear that such transactions must be protected with mechanisms 
that allow the resolution of disputes through non-repudiation. 

Later on we will also see that in the context of secure multicast a solution 
based on digital signatures could be preferable to one based on MACs. Indeed 
in that scenario (even if non-repudiation is not required) to simply sign the 
content may end up being the simplest and most efficient solution, since it avoids 
problems of key management among a large number of users. 

3.2 Non-optimal Solutions for Signing of Streams 

We first describe some solutions which are lacking optimality in various ways. 

One type of solution splits the stream in blocks. The sender signs each indi- 
vidual block and the receiver loads an entire block and verifies its signature before 
consuming it. This solution also works if the stream is infinite. However, this so- 
lution forces the sender to generate a signature for each block of the stream and 
the receiver to verify a signature for each block. With today’s signature schemes 
either one or both of these operations can be very expensive computationally. 
Which in turns means that the operations of signing and verifying can create a 
bottleneck to the transmission rate of the stream. 

Another type of solution works only for finite streams which are known in 
advance. In this case, once again the stream is split into blocks. Instead of signing 
each block, the sender creates a table listing cryptographic hashes of each of the 
blocks and signs this table. When the receiver asks for the authenticated stream, 
the sender first sends the signed table followed by the stream. The receiver first 
receives and stores this table and verifies the signature on it. If the signature 
matches, then the receiver has the authenticated cryptographic hash of each of 
blocks in the stream and thus each block can be verified when it arrives. The 
problem with this solution is that it requires the storage and maintenance of a 
potentially very large table on the receiver’s end. In many realistic scenarios the 
receiver buffer is very limited compared to the size of the stream, (e.g., in MPEG 
a typical movie may be 20 GBytes whereas the receiver buffer is only required 
to be around 250Kbytes) . Therefore the hash table can itself become fairly large 
(e.g., 50000 entries in this case or SOOKbytes for the MD5 hash function) and 
it may not be possible to store the hash table itself. Also, the hash table itself 
needs to be transmitted first and if it is too large then there will be a significant 
delay before the first piece of the stream is received and consumed. To address 
the problem of large tables one can also come up with a hybrid scheme in which 
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the stream is split in consecutive pieces and each piece is preceded by a small 
signed table of contents. 

The above solution can be further modified by using an authentication tree: 
the blocks are placed as the leaves of a binary tree and each internal node takes as 
a value the hash of its children (see [13].) This way the sender needs to sign and 
send only the root of this tree. However, in order to authenticate each following 
block the sender has to send the whole authentication path (i.e., the nodes on the 
path from the root to the block, plus their siblings) to the receiver. This means 
that if the stream has k blocks, the authentication information associated with 
each block will be O(logfc). 

The solution described next eliminates all these shortcomings. The basic idea 
works for both infinite and finite streams, only one expensive digital signature is 
ever computed, there are no big tables to store, and the size of the authentication 
information associated with each block does not depend on the size of the stream. 

3.3 An Optimal Solution to Sign Streams 

In order to describe this optimal solution we make some reasonable/practical 
assumptions about the nature of the streams being authenticated. First of all we 
assume that it is possible for the sender to embed authentication information 
in the stream. This is usually the case in most real-world situations like MPEG 
video/audio. We also assume that the receiver has a “small” buffer in which 
it can first authenticate the received bits before consuming them. Finally we 
assume that the receiver has processing power or hardware that can compute a 
small number of fast cryptographic checksums faster than the incoming stream 
rate while still being able to play the stream in real-time. 

The basic idea is to divide the stream into blocks and embed some authenti- 
cation information in the stream itself. The authentication information of the 
block will be used to authenticate the (z -I- 1)^* block. This way the signer needs 
to sign just the first block and then the properties of this single signature will 
“propagate” to the rest of the stream through the authentication information. 
Of course the key problem is to perform the authentication of the internal blocks 
fast. We distinguish two cases: if the stream is finite or infinite. 

Finite Streams. In the first scenario the stream is finite and is known in 
its entirety to the signer in advance. This is not a very limiting requirement 
since it covers most of the Internet applications (digital movies, digital sounds, 
applets). In this case we will show that a single hash computation will suffice 
to authenticate the internal blocks. The idea is to embed in the current block 
a hash of the following block (which in turns includes the hash of the following 
one and so on...) 

Assume for simplicity that the stream is such that it is possible to reserve 
20 bytes of extra authentication information in a block of size c. The stream is 
logically divided into blocks of size c. The receiver has a buffer of size c. The 
receiver first receives the signature on the 20 byte hash (e.g., SHA-1) of the first 
block. After verification of the signature the receiver knows what the hash of 
the first block should be and then starts receiving the full stream and starts 
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computing its hash block by block. When the receiver receives the first block, 
it checks its hash against what the signature was verified upon. If it matches, 
it plays the block otherwise it rejects it and stops playing the stream. How are 
other blocks authenticated? The key point is that the first block contains the 
20 byte hash of the second block, the second block contains the 20 byte hash of 
the third block and so on... Thus, after the first signature check, there are just 
hashes to be checked for every subsequent block. 

In more detail, let (G, S, V) be a regular signature scheme. The sender has a 
pair of secret-public key (SK,PK) = G(l") of such signature scheme. Also let 
H he & collision-resistant cryptographic hash function. If the original stream is 

B = Bi,B 2, . . . ,Bk 

and the resulting signed stream is 

B' = B'o,B[,B'^,...,Bl 

the processing is done backwards on the original stream as follows: 

=< Bfc , 00...0 > 

=< B„ > for i = 1, . . . , fc - 1 

B'g =< H{B[,k),S{SK,H{B[,k)) > 

Notice that on the sender side, computing the signature and embedding the 
hashes requires a single backwards pass on the stream, hence the restriction that 
the stream is fully known in advance. Notice also that the first block Bq of the 
signed stream contains an encoding of the length of the stream (fc). 

The receiver verifies the signed stream as follows: on receiving Hg =< B, Ag > 
she checks that 

V{PK,Ao,B) = 1 

and extracts the length k in blocks of the stream (which we may assume is 
encoded in the first block). Then on receiving =< Bi,Ai > (for 1 < i < fc) 
the receiver accepts Bi if 

H(B') = 

Thus the receiver has to compute a single public-key operation at the beginning, 
and then only one hash evaluation per block. Notice that no big table is needed 
in memory. 

Infinite Streams. The second case is for (potentially infinite) streams which 
are not known in advance to the signer (for example live feeds, like sports event 
broadcasting and chat rooms). In this scenario it is important that the operation 
of signing (and not just verification) also be fast, since the sender himself is bound 
to produce an authenticated stream at a potentially high rate. 

The solution in this case is more complicated as it requires several hash 
computations to authenticate a block (although depending on the embedding 
mechanism these hash computations can be amortized over the length of the 
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block). The size of the embedded authentication information is also an issue in 
this case. The idea here is to use fast 1-time signature schemes (introduced in 
[11,12]) to authenticate the internal blocks. So block i will contain a 1-time public 
key and also the 1-time signature of itself with respect to the key contained in 
block i — 1. This signature authenticates not only the stream block but also the 
1-time key attached to it. 

More in detail: let us denote with (G, S, V) a regular signature scheme and 
with (g, s, v) a 1-time signature scheme. With H we still denote a collision- 
resistant hash function. The sender has long-lived keys {SK,PK) = G(l"). Let 

be the original stream (notice that in this case we are not assuming the stream 
to be finite) and 

B' = BiB[,B'^,... 

the signed stream constructed as follows. For each i > 1 let us denote with 
(ski,pki) = 5 ( 1 ") the output of an independent run of algorithm g. Then 

B'q =< pko,S{SK,pko) > 

(public keys of 1-time signature schemes are usually short so they need not to 
be hashed before signing) 

Bl =< B^,pki,s{ski-i,H{B^,pki)) > for z > 1 

Notice that apart from a regular signature on the first block, all the follow- 
ing signatures are 1-time ones, thus much faster to compute (including the key 
generation, which does not have to be done on the fly.) 

The receiver verifies the signed stream as follows. On receiving Bq =< 
pko,Ao > she checks that 

V{PK,Ao,pko) = 1 

and then on receiving B[=< Bi,pki+i,Ai > she checks that 

v{pki-i,Ai,H{Bi,pk^)) = 1 

whenever one of these checks fails, the receiver stops playing the stream. Thus 
the receiver has to compute a single public-key operation at the beginning, and 
then only one 1-time signature verification per block. 

Hybrid Schemes. In the on-line scheme, the length of the embedded authen- 
tication information is of concern as it could cut into the throughput of the 
stream. In order to reduce it, hybrid schemes can be considered. In this case we 
assume that some asynchrony between the sender and receiver is acceptable. 

Suppose the sender can process a group (say 20) of stream blocks at a time 
before sending them. With a pipelined process this would only add an initial 
delay before the stream gets transmitted. The sender will sign with a one-time 
key only 1 block out of 20. The 20 blocks in between these two signed blocks will 
be authenticated using the off-line scheme. This way the long 1-time signatures 
and the verification time can be amortized over the 20 blocks. 
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A useful feature of various proposed 1-time signature scheme is that it allows 
the verification of (the hash of) a message bit by bit. This allows to actually 
“spread out” the signature bits and the verification time among the 20 blocks. 
Indeed, if we assume that the receiver is allowed to play at most 20 blocks of 
unauthenticated information before stopping if tampering is detected we can do 
the following. We can distribute the signature bits among the 20 blocks and 
verify the hash of the first block bit by bit as the signature bits arrive. This 
maintains the stream rate stable since we do not have long signatures sent in 
a single block and verification now takes 3-4 hash computations per block, on 
every block. 

The biggest drawback of the schemes we presented is that they are not very 
resilient to the problem of packet losses. Indeed if a block is missing then the au- 
thentication chain is broken and the rest of the scheme cannot be authenticated. 
An hybrid scheme helps in this case as well since the chain can be restarted when 
the next signed packet arrives. 



3.4 Bibliographical Note 

The scheme for stream signing described above was presented in [9] . The paper 
contains full proofs of security by reduction: i.e. it is shown that an attacker that 
is able to forge a signed stream in the schemes above must necessarily be able to 
either break the underlying signature schemes (either the long-lived or the one- 
time scheme in the on-line solution) or the collision-resistant hash function. The 
paper also discusses issues related to the choices of parameters and algorithms. 
In particular the choice of one-time signatures in the on-line case is important 
since the size of the signatures and keys could become problematic. 

A different kind of efficient signature schemes, valid for a small number of 
messages, rather than just one is discussed in [17]. The paper also discusses their 
application to stream signing. 

Some techniques to deal with the issue of packet loss are described in the 
original paper [9]. A modification of the basic scheme which is highly tolerant 
to packet loss is presented in [16]. 

4 Authentication in Secure Multicast 

In Multicast Communication there is a dynamic group of users who exchange 
messages. These are usually in the form of streams (video, audio, stock quotes, 
teleconferencing etc.) There are two basic authentication problems in secure 
multicast: message and source authentication. 

Message Authentication : Here the problem is to make sure that the message 
was not tampered with during transit. This problem is easily solvable by using 
MAC algorithms. The users in the group all share a key which is used to compute 
and verify MACs. When a message is received and verified, the users know that 
it was sent by a member of the group and it was not modified. 
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Source Authentication; Here the problem is to identify who sent the message 
inside the group. Here basic MACs do not work anymore since the receiver can 
also impersonate the user. Notice that the property we require is weaker than 
non-repudiation. Indeed we are only asking that a member of the group can 
identify the source of the message, but not necessarily be able to prove to a 
third party that this is the case. In the following we will focus only on the source 
authentication problem. 

Clearly the previous solution for stream signing works here as well. Each 
member of the group holds a public key and uses the previously described algo- 
rithms to sign the streamed messages. However, it is a little bit of an overkill, 
especially in the on-line case, since we are doing more work than it’s really re- 
quired by the problem. In this section we will show some algorithms for source 
authentication which are more efficient than full stream signing. These algo- 
rithms can be considered something of a hybrid between signatures and MACs. 

When we talk about efficiency, we stress that we are talking about the fol- 
lowing important parameters: 

— Work overhead: how much computation is required per packet to authenti- 
cate and verify; 

~ Bandwidth: how much packet expansion is required to include authentication 
data; 

— Secure Memory: key length at sender and receiver. 



4.1 Timed Authentication 

This solution uses public-key techniques but in a limited way. It does not achieve 
non-repudiation, even if it uses digital signatures. 

A sender in the group has a key pair PK, SK used to compute signatures 
under the signature scheme G, S, V. Also let Comm, Decomm and Auth, V er be 
respectively a commitment scheme and a MAC scheme known to all members 
of the group. If the original stream is 



B = Bi, B2, B3 . . . 
then the resulting signed stream is 

B' = B[,B'^,B'^,... 

computed as follows: 

B[ =< Bi, Comm{Ki), S{PK, Bi o Comm{Ki)) > 

B'2 =< i?2, Comm{K2), MAC{Ki, B2 o C omm{K2)) > 
i?3 =< B3, Comm{K^),Decomm{Ki), MAC{K2, B3 o Comm{K3)) > 
and following that 

=< Bi,Comm{Ki), Decomm{Ki-2), M AC{Ki-i, Bi o Comm{Ki)) > 
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Notice that on the sender side, apart from the first packet, computing the au- 
thentication data requires only a MAC, a commitment and a decommitment 
step, which are all quite fast computations. 

Verification proceeds as follows. B[ can be authenticated upon receipt since 
it contains a digital signature of its content. B '2 will be authenticated when B'^ 
arrives. The procedure is the following: take K\ out of B'^ and verify that it 
is a proper decommitment of the value contained in B'^. Since B[ is already 
authenticated this will authenticate the value Ki. Now use K\ to verify the 
MAC on B'^. The verification proceeds similarly for all the following blocks. 

It should be clear why the scheme does not achieve non-repudiation. Once 
the MAC keys are known, the receiver can modify the previous blocks (with the 
respective MACs). 

By the same reasoning we have the following attack: if the receiver gets B[_^^ 
before B[ then it cannot trust any of the following packets, since may come 
from an adversary who has already seen the key. There are two possible solutions 
to this problem. 

Two-way Acknowledgments. The simplest thing to do is for the sender to 
wait to send B[j^^ until the receiver acknowledge receipt of B[. This solution is 
however quite cumbersome in multicast scenarios where the size of the recipient 
group might be quite large. 

Timing Assumption. Assume that sender and receiver synchronize clocks with 
the first block. And also assume that the two clocks do not drift too much apart 
(i.e. we have an upper bound 5t on the drift after t time units from synchroniza- 
tion). Then the receiver accepts block B[ if 

ArrivalTimCi + St < DepartureTimCi+i 
and the departure time can be estimated as 

i 

DepartureTimCi = DepartureTimeo H — 

r 

where r is the sending rate. 

The main problem with the above approach is that the sending rate must be 
slower than possible network delays, which may be a severe limitation in some 
applications. Moreover this basic scheme does not tolerate packet loss since as 
soon as a block is missing the whole authentication chain is broken. Notice that 
a block might be missing not just because the network dropped it, but also 
because it might have been rejected by the receiver because of the timing rule. 

Dealing with Packet Loss. We can solve this problem by using a specific 
implementation of the commitment function. Let P be a pseudo-random func- 
tion which is also collision-resistant (several conjectured examples exist in the 
literature, basically any family of collision-resistant hash function can be also 
considered a family of PRF functions) . Then we define 

Ki = F^-\Ko) 




Cryptographic Algorithms for Multimedia Traffic 197 



where Kq is a random initial value. We also commit to Ki = Fn — l(ATo) in the 
usual manner^. Now if a packet is lost we can still authenticate the following 
keys, by iterating the function F enough times to get to the first authenticated 
key that was not lost. 

Improving Transfer Rate. There are several possible approaches to this 
problem. Rather than sending the key in the next packet we wait for d packets. 
This increases the time from which the packet is received to when it’s authenti- 
cated. 

Another possible approach is to schedule the revealing time of the key, on 
a time-interval basis rather than on a number of packets basis. This allows the 
sender to accommodate variable transfer rates. 

Finally if we embed more than one authentication chain in the stream, we 
can accommodate different receivers with varying receiving rates. 



4.2 A MAC-Only Solution 

It would seem that the requirement for source authentication in multicast groups 
require the use of public-key solutions. Yet in this section we will show that 
if we relax the notion of security a little bit, it is possible to achieve source 
authentication by using only MACs. 

Clearly a MAC-only solution could be obtained by having each pair of group 
users exchange a key, and a sender would MAC each message N times (where 
N is the number of users), once with each key. Clearly this does not scale well 
for large groups. 

The scheme we are going to describe uses a different idea. The sender holds 
a set of £ keys. Each receiver holds a subset of these keys. Clearly if a group of 
receivers covers the whole set of keys of the sender they could easily impersonate 
him. Thus we relax our security definition by asking that any coalition of less 
than w receivers cannot impersonate the sender. The parameter w is called the 
impersonation threshold of the system. 

Let TZ= {Ki, K 2 , ■ ■ ■ , Ki} be the keys held by the sender. A user u is given 
a subset TZu C TZ of the keys. Each key Ki is included in TZu with probability 
independently for every i and every u. 

The sender sends a message M and attaches £ MACs, one with each key 
he holds. The user u accepts if all the MACs created with the keys in TZ^ are 
correct. 

Now that we specified the scheme, we only need to pinpoint a sufficiently 
large value for £. In [4] the following theorem is proved, by a simple probability 
argument. 

Theorem 1. If £ = e(w + l)ln^ then the probability that a coalition of w users 
can impersonate the sender to a specific user u is less than q. 



^ To save on code we can also use F, for the commitment purpose i.e. Comm{Ki) = 
F^{Ko). 
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Theorem 1 holds with respect to a specific subset of w parties. We want 
security with respect to any coalition. If we fix 




(i.e. one over the number of all pairs of one player and ru-coalitions) , then a 
probabilistic argument tells us that there exists a key assignment for which no 
TZu is covered by a rc-coalition. The proof is not really constructive, but it is 
possible to test key assignments until a correct one is found. 

Notice that the total number of keys is « e(w + l)^lnA^, while each player 
holds « e{w + l)lnA^ keys. 

Reducing the Bandwidth. We can reduce the communication overhead by 
considering shorter (thus weaker) MAGs but more keys. At the extreme the 
MAGs could be one-bit long (thus forgeable with probability 1/2). 

For example if we set £ = 4e(w-|- l)ln^, with one-bit MAGs, by repeating the 
probabilistic argument mentioned above it is possible to claim that with high 
probability a coalition of w players does not know up to log ^ keys of a receiver. 
Before we could only prove that the coalition missed at least one key. 

Since one-bit MAGs are forgeable with probability 1/2, the probability of 
fooling the user is at most q. 

4.3 Bibliographical Note 

The timed authentication scheme described in Section 4.1 was presented inde- 
pendently in several papers [1,2,5,16]. 

The MAG-only solution described in Section 4.2 originates from [4]. The 
reader is referred to the full paper for a more detailed description of the solution, 
including the case of multiple senders. 

5 Secrecy in Secure Multicast 

Protecting the confidentiality of multicast communication is easier, especially 
if the group is static. The members of the group all share the same key for a 
symmetric encryption scheme which is used to encrypt the data. 

Technically, things become more interesting when the group is dynamic. User 
addition is easily handled by communicating the common key directly to the new 
user. If previous communications should be kept secret from the new user, a new 
key can be generated for the whole group. 

User deletion or revocation is the most problematic issue. We are going to 
deal with this problem for the rest of the section. In the literature this problem 
has been referred also as Broadcast Encryption. 
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5.1 A Simple Tree Scheme 

Let uq, . . . ,un-i be the users. Think of them as leaves in a binary tree. In 
the following we will denote with p(v) and s{v) respectively the parent and the 
sibling of a node v. 

Each node v in the tree is associated with a key K^. Each user receives the 
keys on the path from its leave to the root. The root key is used to encrypt 
traffic, since every user knows it. 

If a user u is removed, new keys A' are generated for the nodes in the path 
from u to the root. The new keys are communicated as follows. 

^ ^p{u) is encrypted with 

— for all the other nodes v in the path, is encrypted with A' and Ks(v)- 

It should be clear that the new keys can be decrypted by (and only by) all the 
users that are supposed to know them. 

Each user holds log N+1 keys and the revocation of a user creates a message 
of 2 log N — 1 ciphertexts. 

It is possible to improve the communication overhead by a factor of 2, by 
using pseudorandom number generators. Let G be a PRG that doubles its input 
G{x) = L{x) o R[x). When u is removed the new keys are computed using some 
random seeds r’s. The new key A' = L(r„) where the seeds are set as follows: 

~ ^p(«) is set to a random value r. 

— for all the other nodes v in the path, rp(„) is set to R{ry). 

Each value is encrypted with Ag(„) and clearly from r„ one can compute 
K,Kivy---,Koof 



5.2 Stateless Receivers 

In the previous scheme we change the keys continously as the group changes. 
We expect the group members to update their internal state with the new keys. 
A large class of applications however deal with stateless receivers, i.e. devices 
that cannot update their internal state. Thus these devices are initialized with 
some long-lived keys which must be able to decrypt the data for any group 
configuration in which the device is enabled. In this section we present a general 
framework called Subset Cover for stateless receivers. 

An algorithm defines k subsets Si, ... ,Sk of the set of group members U . 
Each subset Si is associated with a long-lived key Li which does not change over 
time. If the user u G Si then u must know Lj. 

When a subset R of members must be revoked, the set N/R is partitioned 
into disjoint subsets Si^, Si^, . . . , Si^. The session key A (which is changed con- 
tinously) is encrypted with keys , Li^ , . ■ . , Li^ . The ciphertext is 

< ii, . . . ,ijn, E{Li^,K), . . . ,E{Li^,K),E'{K, M) > 

where E, E' are symmetric encryption schemes. 
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Decryption is performed by having user u determining for which ij u G Si^ 
and then decrypt the session key using the correct key . 

Thus a specific algorithm in this framework is determined by 

1. the collection of subsets S'g 

2. the assignment of key Li to subset Si] 

3. a method to cover N/R by disjoint subsets of the Si’s] 

4. a method for user u to find its cover Si. 

The parameters to keep in mind are the following: (a) message length, (b) 
storage size at the receiver’s end, (c) message processing time at the receiver’s 
end. These are functions of n = \U\ the size of the universe of members, and 
r = \R\ the size of the revoked group. 

We present two instantiations of the framework: 

— Complete Subtree: which has parameters (a) rlog (b) logn, (c) 0(log 

logn). 

— Subset Difference: which has parameters (a) 2r, (b) ” , (c) O(logn). 

The Complete Subtree Method. This algorithm can be considered a gener- 
alization of the previous tree algorithm to the case of stateless receivers. 

Think of users as the n leaves of a binary tree. The collection of sets Si in 
this method consists of all the complete subtrees of this full tree. An user u G Si 
if root(5'i) is an ancestor of u. 

Each subset Si is assigned a random key Li which is given to all the users in 
the set. 

Now suppose we want to remove r users R = {mi, . . . , Ur}. Consider the min- 
imal subtree T{R) that contains such users and the root. The cover is composed 
by all the subsets Si^,. . . , Si^ that “hang off” T{R). In other words all the sub- 
trees whose root is adjacent to nodes of outdegree 1 in T{R) (and do not belong 
to T{R)). Clearly Si^,. . . , Si^ is a partition of U / R. 

How big is TO? An easy upper bound on to is r log n, since there are at most 
r paths from the root to a leave in T{R) and each path has length log n. An easy 
induction argument actually improves this to r log ^ . 

Clearly each user belongs to log n sets, so it has to store that many keys. 

Finally a user u belongs to the subtree Si^ in the cover, if and only if u and 
root(S'i ) have the longest common prefix. This can be computed in O(loglogn) 
time if given the appropriate preprocessing. 

If one compares this scheme to the basic tree algorithm, it can be seen that 
this scheme requires a single decryption, while the other one requires O(logn) 
decryptions, when users are revoked. 



The Subset Difference Method. In this scheme we totally remove the de- 
pendency on n from the message expansion parameter (n may grow a lot). The 
tradeoff is that we square the number of keys held by each player. 
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Again, think of the n users as leaves of a full binary tree. Each subset Sij 
can be described as a subtree minus another subtree. More specifically a subset 
Sij is associated with two nodes Vi and Vj in the tree, such that Vi is an ancestor 
of Vj. The users in Sij are the users in the subtree rooted at Vi minus the ones 
in the subtree rooted at Vj. 

Suppose we want to revoke r users R = {u\, . . . ,Ur}. We need to find a 
cover Si^j^ , ■ • ■ , Si^j^ which partitions U / R. As before we consider the minimal 
subtree T{R) that contains such users and the root. The cover is found via an 
iterative procedure which looks for maximal chains of nodes with outdegree 1 in 
T{R). More specifically, such a chain [vi^, . . . ,Vi^] is such that: (1) vu is either 
a leaf or a node of outdegree 2; (2) the parent of Vi^ is either the root or a node 
of outdegree 2; (3) each intermediate node Vi^,. . . has outdegree 1. Note 

that all nodes of outdegree 1 in T{R) belong to precisely one of such chains. 

For each such chain, where £>2, the procedure adds the subset Si^j^ to the 
cover. It is not hard to see that the cover size is at most 2r — 1. 

If we assign a random key Lij to each subset Sij, it would result in 0{N) 
keys held by each player. Indeed consider each complete subtree Tk such that 
u GTk- For each sub-subtree of Tk, on the path from u to root(Tfe), such that u 
does not belong to it, u must store a number of keys proportional to the number 
of nodes in the sub-subtree. That is 

log n 

g(2'=-A:)«0(n) 

We would like to reduce this to 0(log n) per sub-subtree. We do that by using 
pseudorandom generators. 

Let G be a PRG that triples its input 

G(s) = Gi(s)oGM(s)oG«(s) 

First of all we give random labels to each node which is not a leaf. Let LABi the 
label of node Vi. Now consider the subtree Ti rooted at Vi. We apply a top-down 
labeling procedure which assigns more labels to each node. The label of the left 
(resp. right) child is Gl (resp. Gr) applied to LAB of the parent. 

Now a node Vj has logn labels. If Vi is an ancestor of Vj, with LABij we 
denote the label assigned to Vj by the labeling procedure started at Vi. The 
subset Sij is assigned the key = Gm {LAB ij). 

This labeling system has the following properties: 

— given LABi it is possible to compute the keys of all the subsets Sij] 

— without knowing LABi (or any intermediate label in the labeling procedure 

started at Vi) the keys of all subsets Sij are pseudorandom. 

So if u is a user, what does it get? For each subtree R in which u is a leaf, 
consider the path from the root(Ti) to u. Give to u all the labels of the roots 
of the “hanging” subtrees. Thus u gets up to O(logn) labels per subtree which 
makes O(log^n) total. 
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How do we decrypt? The cover can be found in O(loglogn) steps. User u can 
compute the right key from the labels in its possession, via 0(log n) applications 
of the PRG G. Once the key is found a single decryption is required. 

5.3 Bibliographical Note 

The problem of broadcast encryption was introduced in [8], where a combinato- 
rial solution was presented. Their solution is similar in spirit to the MAC-only 
multicast authentication algorithm presented in Section 4.2. In fact the work in 
[8] predates and inspired the MAC-only algorithm. 

The simple tree scheme in Section 5.1 was independently proposed in [19] 
and [20]. The stateless receiver solution was presented in [14]. 

6 Tracing Traitors 

The previous broadcast encryption schemes, guarantee that only the correct 
subset of users is allowed to decrypt the data. However the system can be easily 
circumvented by a single authorized user who reveal its private information to 
allow other non-authorized users to decrypt. 

Consider the example of an encrypted Pay-TV station. A legitimate receiver 
can do two things: 

— re-broadcast the clear data that it receives. This is however, costly, compli- 
cated and easily detectable. 

— copy the secret key in its possession and “sell” a “pirate” decoder box on 
the black market. 

The second attack is much harder to detect. It is usually countered by providing 
users with tamper-resistant decoders, which prevents direct reading or copying 
of the internal keys. However, very secure tamper-proof hardware is extremely 
costly, while basic solutions can easily be reversed-engineer. 

Thus we are interested in trying to devise a software-only solution to help 
against the “traitors” problem. 

The basic idea is to somehow “fingerprint” the keys of each user. When these 
keys are found inside a decoder box, then we can trace them back to the “traitor 
user” . 

It should be possible to trace at least one such traitor, even if the pirate 
decoder box was built using the information from a coalition of up to k traitors 
(fc being a parameter in the scheme). 

Moreover, we are not sure if when we find a pirate decoder box, we will be 
able to open it and read its content (the pirate box might be tamper-resistant as 
well). Thus we would like the tracing mechanism to be black-box, i.e. it should 
identify the traitor by simple I/O interaction with the pirate box. 

In this section we will discuss some “tracing traitors” algorithms. Such a 
scheme should be implemented on top of any of the broadcast encryption schemes 
presented before. A general way to do this is to split the message being sent as 
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M = Ml © M 2 and then encrypt M\ with the broadcast encryption scheme, and 
M 2 with the traitor tracing scheme. 

The parameters of a traitor tracing scheme are n, the number of users, and 
k, the maximum size of a coalition of traitors that the scheme tolerates. 

6.1 Tracing Traitors in the Subset Cover Framework 

The Subset Cover framework for broadcast encryption (discussed in Section 5.2) 
provides a seamless integration of broadcast encryption with traitor tracing. 

We are going to present a traitor tracing mechanism that works for any 
instantiation of the subset cover mechanism that satisfies the so-called subset 
bifurcation property. 

Recall that in the subset cover framework we partition the privileged set 
N — R into m disjoint subsets S'ij , . . . , Si^ from a predetermined family. We say 
that the subset bifurcation property is satisfied if there exists a constants 01,02 
such that, for all Si in the family, there exists Sir, Si ^ also in the family, such 
that: (1) Si^ Si, Si^ and Si^ are disjoint, Oi|S'ij,^| < l^il < 02 |S'i^|. 

Before we show how to use the subset bifurcation property to perform traitor 
tracing, we show that the two instantiations of the subset cover framework shown 
in Section 5.2 have this property. 

The Complete Subtree Method. Each subset is formed by the leaves of a 
complete subtree. Each subtree can be split as the left and the right subtree. 
Thus the constant a = 1/2. 

The Subset Difference Method. Each subset Sij can be split as the left 
and tight subtree of i. The worst case is when i is the grandparent of j, in which 
case one side gets 2/3 of the elements, while the other only 1/3. 

The Tracing Mechanism. We use the bifurcation property to perform a sort 
of binary search on the users. We are given a pirate box which decodes with a 
certain cover, i.e. decrypts the ciphertext^ 

C=<ii,...,im,EL,{K),...,EL,^{K),E'j,{M) > 

Suppose we have a way to identify a subset Si^ in the cover, such that a traitor 
belongs to Si^ (clearly at least one traitor must belong to a least one subset). 

If I = 1 then we are done. Otherwise we split Si^ using the bifurcation 
property and continue on. 

Thus all we need to show is how to identify such a subset Si. . Recall that we 
may have many traitors, thus the box may have several keys in it. Recall also 
that we can only query the box to get decrypted values (black-box access). 

We look at the behavior of the box when it is fed ciphertexts of the following 
form: 

< * 1 , ■ • ■ ,im,ELi{RK), ■ ■ ■ ,EL.{RK),ELj+,{K), . . . ,El^{K),E'i^{M) > 

^ We are going to assume that the pirate box decrypts with probability 1 given a 
certain cover. This is not necessary, since we can adjust for a “threshold” probability 
of decryption p. 
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We denote with pj the probability that the box decrypts correctly this “faulty” 
ciphertext. Basically if pj is sufficiently high, we know that the box must contain 
Li^ for some k > j and thus the traitor is in one of the subsets Si^, for k > j. 
Notice that po = while Pm = 0, thus we must have that for some j 

If Pj is substantially different frompj_i it means that the box is using the correct 
key Li^ and thus Si^ must contain a traitor. 

Once again we find the relevant pj by a sort of binary search using the 
following procedure: 

ST{0, m) 

1. a 0; 

2. 6^0; 

3 . 

4. Estimate Pa, P6, Pc; 

5. If Ipc -P al > |p& -Pel; 

6. Then 5T(a,c); 

7. Else S'T(c, 6); 

6.2 A Public-Key Scheme 

We conclude with a public-key scheme. It is mostly of theoretical interest since 
in this scenario, private-key encryption is usually adopted for efficiency reasons. 
However it is interesting because it shows that algebraic techniques, and not just 
combinatorial ones, can be used for these applications. Also being a public-key 
scheme it allows anybody to broadcast messages to the receivers, and not just a 
pre-determined sender. 

ElGamal Encryption. Let Gq be a group of prime order q. Let g be a gener- 
ator for Gq. The public key of the ElGamal encryption scheme is a value y = 
with X Zq, which is the secret key. A message m € Gq is encrypted by a pair 
(a, f3) where a = g'" and (3 = y’’ ■ m with r Gr Zq. The decryption step consists 
of retrieving m = (3 ■ a~^ . 

The traitor tracing scheme. The new scheme is a generalization of the 
ElGamal scheme. The public key is modified as follows. For each i = 1, . . . ,2fc 
we choose , Ui Gfi Zq and set hi = g^', y = rii=i^r’- The public key is 

< y,hi,h 2 , ■ . . , h 2 k >■ Notice that given the public key, there are several possible 

combinations of the a’s (exactly that yield y = Y\a=i ■ Such a vector 

< oi, . . . , « 2 fc > is called a representation of y with respect to < hi, ... , h 2 k >■ 

Finally we also assume that there is a publicly known code F, which is a 
collection of n codewords in 

E={ 7 W,..., 7 (")} with 7«=<7«,...,7« > 

User Ui gets a value 9i G Zq such that 9i ■ 7 ^*i is a representation of y. 
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0i = 



J2rjaj 



mod q 



We denote with = 9i ■ 7*^*^ the representation held by Ui. 
To encrypt m G Gg we generalize ElGamal as follows: 



Er{m) =< hl,h2,...,h2k,y'" ■ m > 



To decrypt a ciphertext c =< Hi, . . . , H 2 k, S > the user Ui computes m = 
S ■ U~^' where U = Notice that this is a good decryption given any 

representation. 

The code F is what enables the tracing mechanism. Indeed it is easy to show 
that if an adversary gets d,0^\ . . . , the representations of (. users, where £ < k, 
then she can only compute new representations d which are convex combinations 
of the d^*^’s i.e. 

e e 

d = aid^^^ where Oi = 1 

i=l i=l 

If we instantiate the code F as the Reed-Solomon code, then it is possible, given 
d, to identify all the components used in the linear combination. 

Notice that the above approach requires d and as such is not a black-box 
tracing mechanism. The paper also presents a black-box mechanism, but it is 
inefficient since it runs in time 0((^)) so it is feasible only for small coalitions. 



6.3 Bibliographical Note 

The problem of tracing the source of pirate decoders was introduced in [6] , which 
appeared in its final journal form in [7]. The tracing mechanism for stateless 
receivers was proposed in [14] The public-key scheme originates from [3]. 



References 

1 . R. Anderson, F. Bergadano, B. Crispo, J. Lee, C. Manifavas and R. Needham. A 
New Family of Authentication Protocols. Operating Systems Review, 32(4);9-20. 
October 1998. 

2. F. Bergadano, D. Cavagnino and B. Crispo. Individual Source Authentication on 
the MBONE. Proceedings of ICME 2000. 

3. D. Boneh and M .Franklin. An Efficient Public-Key Traitor Tracing Scheme. Pro- 
ceedings of CRYPTO’99, LNCS vol.1666 pp. 338-353. Springer 1999. 

4. R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor and B. Pinkas. Multicast 
Security: A Taxonomy and Some Efficient Constructions. Proceedings of INFO- 
COM’99. 1999. 

5. S. Cheung. An Efficient Message Authentication Scheme for Link State Routing. In 
Proceedings of the 13th Annual Computer Security Applications Conference. 1997. 

6. B. Chor, A. Fiat and M. Naor. Tracing Traitors. Proceedings of CRYPTO’94, LNCS 
vol.839, pp.257-270. Springer 1994. 

7. B. Chor, A. Fiat, M. Naor and B. Pinkas. Tracing Traitors. IEEE Transactions on 
Information Theory, 46:3, May 200. 




206 



Rosario Gennaro 



8. A. Fiat and M. Naor. Broadcast Encryption. Proceedings of CRYPTO’93. LNCS 
vol.773, pp. 480-491. Springer 1994. 

9. R. Gennaro and P. Rohatgi. How to Sign Digital Streams. Information and Com- 
putation^ 165:100-116. 2001. 

10. S. Goldwasser, S. Micali and R. Rivest. A Digital Signature Scheme Secure Against 
Adaptive Ghosen Message Attack. SIAM J. Comp. 17(2):281-308, 1988. 

11. L. Lamport. Gonstructing Digital Signatures from a One-Way Function. Technical 
Report SRI Inti. GSL 98, 1979. 

12. R. Merkle. A Digital Signature based on a Gonventional Encryption Function. 
Advances in Cryptology-Crypto’87. LNGS, vol.293, pp. 369-378, Springer- Verlag, 
1988. 

13. R. Merkle. A Gertified Digital Signature. Advances in Cryptology-Crypto ’89. 
LNCS, vol.435, pp. 218-238, Springer-Verlag, 1990. 

14. D. Naor, M. Naor and J. Lotspiech. Revocation and Tracing Schemes for Stateless 
Receivers. Proceedings of CRYPTO 2001, LNCS vol.2139, pp. 41-62. Springer 2001. 

15. National Institute of Standard and Technology. Secure Hash Standard. NIST FIPS 
Pub 180-1, 1995. 

16. A. Perrig, R. Canetti, J. Tygar and D. Song. Efficient Authentication and Sig- 
nature of Multicast Streams over Lossy Channels. Proceedings of the 2000 IEEE 
Symposium on Security and Privacy. 

17. P. Rohatgi. A Compact and Fast Hybrid Signature Scheme for Multicast Packet 
Authentication. Proceedings of ACM CCS ’99, pp. 93-100. 

18. D. Stinson. Cryptography. Theory and Practice. CRC Press. 1996. 

19. D. Wallner, E. Harder and R. Agee. Key Management for Multicast: Issues and 
Architectures. IETF Draft wallner-key, July 1997. Available from 

ftp: / /ftp.ietf.org/internet-drafts/draft-wallner-key-arch-Ol.txt 

20. C. Wong, M. Gouda and S. Lam. Secure Group Communications Using Key 
Graphs. SIGCOMM 1998. 




Security for Mobility 



Hanne Riis Nielson, Flemming Nielson, and Mikael Buchholtz 



Informatics and Mathematical Modelling, Technical University of Denmark 
Richard Petersens Plads, Building 321, DK-2800 Lyngby, Denmark 
{riis ,nielson,mib}@imin.dtu. dk 



Abstract. We show how to use static analysis to provide information 
about security issues related to mobility. First the syntax and semantics 
of Mobile Ambients is reviewed and we show how to obtain a so-called 
OCFA analysis that can be implemented in polynomial time. Next we 
consider discretionary access control where we devise Discretionary Am- 
bients, based on Safe Ambients, and we adapt the semantics and OCFA 
analysis; to strengthen the analysis we incorporate context-sensitivity to 
obtain a ICFA analysis. This paves the way for dealing with mandatory 
access control where we express both a Bell-LaPadula model for confi- 
dentiality as well as a Biba model for integrity. Finally, we use Boxed 
Ambients as a means for expressing cryptographic key exchange proto- 
cols and we adapt the operational semantics and the OCFA analysis. 



1 Introduction 

Mobile Ambients (see Section 2) were introduced by Cardelli and Gordon [13,16] 
as a formalism for reasoning about mobility. Ambients present a high-level view 
of mobile computation and give rise to a high-level treatment of the related 
security issues. 

An ambient is a named bounded place and the boundary determines what is 
outside and what is inside. Ambients can be nested inside each other and thereby 
form a tree structure. Mobility is then represented as navigation inside this 
hierarchy. Each ambient contains a number of multi-threaded running processes; 
the top-level processes of each ambient have direct control over it and can instruct 
it to move and thereby change its future behaviour. The ambient names are 
unforgeable and are essential for controlling access to the ambients. As in [12] 
we shall impose a simple type structure by assigning groups to ambients. 

The basic calculus has three so-called subjective mobility capabilities: an 
enclosing ambient can be instructed to move into a sibling ambient, it can be 
instructed to move out of its enclosing ambient, and a sibling ambient can be 
dissolved. The literature contains a number of extensions to the basic calculus: 
so-called objective moves, various forms of communication and primitives for 
access control etc; we shall begin by considering the basic calculus in Section 2, 
then add access control features in Sections 3 and 4, and finally revert to the 
basic calculus in order to add communication primitives in Section 5. 

The operational semantics is a standard reduction semantics with a structural 
congruence relation. The static analysis is modelled on the simple OCFA analysis 
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originally developed for functional programs. In the case of Mobile Ambients 
the control structure is expressed by the hierarchical structure of ambients (with 
separate components taking care of the communication, if present) . Hence we aim 
at modelling the father-son relationship between the nodes of the tree structure 
[31,30]. 

The precision of the OCFA analysis is roughly comparable to that of early 
type systems for Mobile Ambients [11,14] and may be used for validating security 
properties related to crossing control and opening control [12]. In the spirit of 
type systems the main semantic result showing the correctness of the OCFA 
analysis is a subject-reduction result expressing that the analysis information 
remains valid during execution. 

The efficiency of the analysis is good and the worst-case complexity is cubic 
[36]. In practical terms we find it convenient to translate the analysis into a 
fragment of first order logic known as Alternation-free Least Fixed Point Logic 
(ALFP) and implemented by our Succinct Solver [35]. 

Discretionary access control (see Section 3) imposes conditions on when an am- 
bient can perform a given mobility primitive on another ambient. As an example, 
an ambient (the subject) may move into another ambient (the object) by execut- 
ing a suitable capability (an access operation). In the Safe Ambients of Levi and 
Sangiorgi [24] there is a simple notion of access control; here the object must 
agree to being entered and this is expressed by requiring the object to execute 
the corresponding co-capability (an access right). 

This rudimentary kind of access control does not fully model the usual no- 
tion of access control where an access control matrix lists the set of capabilities 
that each subject may perform on each object. (In the classical setting [22], 
the subjects correspond to programs, the objects correspond to files, and the 
access operations could be the read, write, and execute permissions of UNIX.) 
We overcome this shortcoming by designing the Discretionary Ambients where 
co-capabilities not only indicate the access rights but also the subject that is 
allowed to perform it. 

We then adapt the semantics to incorporate the necessary checks and hence 
to block execution whenever an inadmissible access operation is performed. Simi- 
larly we adapt the analysis and later strengthen it using context-sensitivity; this 
is a standard technique from data flow and control flow analysis that can be 
used to improve the precision of a simple OCFA analysis in order to obtain a so- 
called ICFA analysis [29]. As mentioned above the OCFA analysis approximates 
the hierarchical structure of the ambients by a binary father-son relationship. 
Context-sensitivity then is based on the observation that more precise results are 
likely to be obtained using a ternary grandfather-father-son relationship between 
ambients. This ICFA analysis still has reasonable complexity and we report on 
practical experiments confirming that the use of ternary relations strikes a use- 
ful balance between precision and efficiency. (A considerably more precise and 
costly analysis is presented in [37,38].) 
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Mandatory access control (see Section 4) imposes confidentiality and/or integrity 
by combining the access control matrices with additional information [22]. The 
Bell-LaPadula model assigns security levels to objects and subjects and imposes 
confidentiality by preventing information from flowing downwards from a high 
security level to a low security level. The Biba model assigns integrity levels to 
objects and subjects and then imposes integrity by preventing trusted high-level 
entities from being corrupted by dubious low-level entities — thus information 
is prevented from flowing upwards. 

These security models were originally developed in a setting much more static 
than the one of Discretionary Ambients. For comparison, an ambient may be 
viewed as a system with a distributed access control matrix that dynamically 
evolves and that is concerned with multiplicities whereas classically the access 
control matrix is partly centralised and static. In this paper we show how the 
security policies may be re-formulated in the dynamic and mobile setting of the 
Discretionary Ambients. 

The formal development amounts to adapting the semantics so as to incor- 
porate reference monitors that block execution whenever an inadmissible access 
operation is performed (according to the mandatory access control policy con- 
sidered). The analysis is extended to perform tests comparable to those of the 
reference monitors, and as an extension of the subject reduction theorem we show 
that if all static tests are satisfied then the reference monitor can be dispensed 
with. 

Cryptographic protocols (see Section 5) are most naturally expressed using com- 
munication. The full calculus of Mobile Ambients includes a notion of local 
communication where there is a communication box inside each ambient; this 
naturally leads to dealing with asynchronous communication. For some purposes 
it is more convenient to allow communication between adjacent layers of ambi- 
ents and this motivated the design of Boxed Ambients [9,8]. Here an ambient 
can directly access not only its local communication box but also the commu- 
nication box of its parent (but not grandparents) as well as its children (but 
not grandchildren). We show that perfect symmetric cryptography as well as 
a number of cryptographic key exchange protocols (Wide Mouthed Frog, Ya- 
halom and the Needham-Schroeder symmetric key protocol) can be expressed in 
a rather natural manner in Boxed Ambients. We adapt the semantics and the 
OCFA analysis to this setting and prove the usual results; thanks to a small sim- 
plification also the implementation is relatively straightforward. This analysis 
may additionally be used for validating security properties related to exchange 
analysis as presented in [12]. 

In the Conclusion (see Section 6) we summarise the development performed and 
briefly discuss extensions of the work as well as directions for future research: the 
notion of hardest attackers as a means for characterising all Dolev-Yao attackers 
to a firewall [31,30], and the possibility of extending this to capture all Dolev-Yao 
attackers to the protocols considered [5]. 
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site A 




(3) (4) 



Fig. 1. A packet p moves from site A to site B and finally gets dissolved. 

2 Mobile Ambients 

In the ambient view of the world each ambient is a bounded place where compu- 
tations take place. The boundary determines what is inside and what is outside 
and as such it represents is a high-level security abstraction. Additionally it pro- 
vides a powerful abstraction of mobility where ambients move as a whole. This 
view is sufficiently flexible to apply to a variety of scenarios: applets, agents, 
laptops, etc. 

Ambients can be nested inside other ambients forming a tree structure. Mo- 
bility is then represented as navigation within this hierarchy of ambients. As an 
example, consider Figure 1 where a packet p moves from one site A into another 
site B. First we move the packet out the enclosing ambient (2) and then into the 
new enclosing ambient (3). Finally in (4), the payload of the packet is opened 
inside site B and the packet p is, thereby, dissolved. 

Each ambient contains a number of multi-threaded running processes. The 
top-level processes of an ambient have direct control over it and can instruct it to 
move and thereby change the future behaviour of its processes and sub-ambients; 
consequently, the processes of sub-ambients only control the sub-ambient in 
which they are placed. Processes continue to run while being moved. 

Each ambient has a name. Only the name can be used to control the access 
to the ambient (entry, exit, etc.) and the ambient names are unforgeable. 

The mobility primitives of ambients are based on the notion of subjective 
moves. Here the movements of an ambient are caused by the threads running at 
top-level inside it. The in-capability directs an ambient to move into a sibling 
(i.e. another ambient running in parallel). This can be depicted as: 
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The left hand side shows two sibling ambients named m and n; the ambient 
m has a thread instructing it to move into the ambient n. The right hand side 
of the figure then shows the result of this action. 

The out-capability directs an ambient to move out of its father (i.e. the en- 
closing ambient). In the figure below the ambient m contains a thread instructing 
it to move out of its father named n: 

n 



m 




m 


n 


outn.P 1 Q 




R 




P\Q 






R 









The open-capability allows a process to dissolve the boundary around a sibling 
ambient (named n below): 





1 n 




open n.P 




Q 


— ^ p 



The ambient view of systems directly focuses on the ability to express a 
number of high-level security issues related to mobility; as for example, ensuring 
that packets with sensitive information can only pass through classified sites, or 
that packets with sensitive information may pass through unclassified sites but 
can only be opened at classified sites. 



2.1 Syntax and Semantics of Mobile Ambients 

To make this precise we formally define the syntax of processes, P, and capabil- 
ities, M, by the following grammar: 

Processes based on the 7r-calculus: 



P ::= {vn \ P introduces a process with private name n in group /i 

{v fi) P introduces a new group named /r with its scope 
0 the inactive process 

Pi I P 2 two concurrent processes 

\P replication: any number of occurrences of P ^ 

n [P] an ambient named n containing P 

M.P a capability M followed by P 



(drawn as \1^) 



Capabilities of the core calculus: 



M ::= in n move the enclosing ambient into a sibling named n 

I outn move the enclosing ambient out of a parent named n 

I open n dissolve a sibling ambient named n 

In the graphical representation the inactive process is usually not written 
explicitly. Our syntax of ambients follows [12] and extends the basic calculus of 
[13,16] in not having an operation (yn)P for introducing a new private name 
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Table 1. The structural congruence relation. 



P = P 

P=QAQ=R^P=R 
P = Q ^ Q = P 

P = Q ^ {un: fi) P = {un: fi)Q 
P = Q ^ {u fj,) P = {ly fi) Q 
P = Q ^ P \ R = Q\ R 
P = Q^\P=\Q 
P = Q ^ n[P] = n[Q] 

P = Q ^ M.P = M.Q 

P\Q = Q\P 
{P\Q)\R = P\{Q\R) 

P\0 = P 



\P = P\\P 

!0 = 0 

{u n: fi) 0 = 0 
(iz /i) 0 = 0 

{vn: n) {vn': P = 

{v n' : jJ) iy n: fi) P if n n' 

(v^i) {ufj,')P = {ufj!){v^i)P 
{v n : n) {v jj.') P = {u fi') {v n : fi) P if /i / /r' 

{vn: n) {P \ Q) = P \ {vn: n) Q if n ^ fn(P) 

(ly fi) [p \ Q) = P \ (u fj.) Q if fg(P) 

{ly n' : jj.) (n [P] ) = n[{iyn' : fi) P] if n ^ n' 

liyfi) (n [P]) = n[{v^) P] 



(un: fi) P = {vn' : fi) (P{n <— n'}) if n' ^ fn(P) 



Table 2. The transition relation for Mobile Ambients. 

P — ^ Q P — y Q 

{ly n: jj.) P ^ {ly n: fi) Q {u fj,) P ^ {ly fi) Q 

P^Q P^Q P = P' A P' ^ Q' A Q' = Q 

n [P] — >■ n [Q] P I P — >• Q I P P ^ Q 

m [in n. P I Q] I n [P] -A- n [m [P j Q] j P] 
n [m [out n. P I Q] I P] — >• m [P | Q] | n [P] 
open n. P I n [Q] — >■ P | Q 

n for use in P but instead two operations: {v y) P for introducing a new group 
name fj, for use in P and then {lyn: fi) P for introducing a new private name n 
belonging to the group /i. A group can be viewed as the “type” of a name and 
has no semantic consequence. 

The importance of groups becomes clear in the OCFA analysis where we will 
need that the group name is stable under a-renaming of names. We achieve 
this by means of a careful definition of the structural congruence (see Table 1 
and the explanation below) . For simplicity there will be no a-renaming of group 
names; for this to work we make the simplifying assumption that all {v fx) must 
be distinct and must not occur inside some replication operator (!). 

The semantics of mobile ambients consists of a structural congruence rela- 
tion, written P = Q, and a transition relation, written P ^ Q. The structural 
congruence relation allows to rearrange the syntactic appearance of processes 
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as the pictorial representation suggests (e.g. P | Q = Q | P), it deals with the 
semantics of replication (e.g. !P = !P | P) and allows to perform a-renaming; 
the details are fairly standard and may be found in Table 1. We write fn(P) 
and fg(P) for the free names and the free groups of P, respectively. The transi- 
tion relation formalises the three subjective moves and clarifies that capabilities 
deeply nested inside ambients may execute provide they are not prefixed with 
other capabilities; the details are fairly standard and may be found in Table 2. 

Example 1. Let us consider a packet p moving from a site A to another site B 
as in Figure 1. The first configuration (1) in Figure 1 could be the process: 

A [p [out A. in B]] | B [open p] 

Using the transition relation of Table 2 we can get an execution sequence corre- 
sponding to that of Figure 1: 

(1) A [p [out A. in B]] I B [open p] — !■ 

(2) A [ ] I p [in B] I B [open p] 

(3) A [ ] I B [open p | p [ ]] ^ 

(4) A[]|B[] ^ 

2.2 A OCFA Analysis for Mobile Ambients 

The aim of the static analysis is to determine which ambients and capabilities 
may turn up inside given ambients. Fixing our attention on a given ambient 
process P our aim is to find an estimate X of this information that describes all 
configurations reachable from P. In the Flow Logic approach to static analysis 
[28,39] we proceed in the following stages: 

Specification: First we define what it means for the estimate X to be an ac- 
ceptable description of the process P. 

Correctness: Then we prove that all acceptable estimates will remain accept- 
able during execution. 

Implementation: Finally, we show that a best acceptable estimate can be 
calculated in polynomial time. 

This approach should be rather natural to readers familiar with type systems: 
first one formulates the type system (thereby making precise the notion of type 
checking), then one shows semantic soundness of the type system (usually in the 
form of a subject-reduction result), and finally one shows how to obtain principal 
types for processes (thereby making precise the notion of type inference). 

Example 2. Consider the Mobile Ambient process of Example 1 

site A 

A [p [out A. in B]] I B [open p] 
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Fig. 2. The natnre of approximation. 



where ambients A and B belong to the group S of sites, and the ambient p belongs 
to the group P of packets. The analysis will provide a safe approximation of which 
ambients may turn up inside other ambients. 

The exact answer is that p may turn up inside A, p may turn up inside B, but 
that A and B never turn up inside p nor inside each other. In terms of groups we 
shall simply say that P may turn up inside S but that S never turns up inside P 
nor inside S. We shall represent this using a mapping 

X : Group — P( Group U Cap) 

that for each ambient group /i G Group tells us not only which ambient groups 
may be inside an ambient in group /x but also which group capabilities may be 
possessed by an ambient in group /x; here a group capability m G Cap is given by: 

m ::= in /x | out/x | open /x 

The optimum value of X for the example discussed above is given by 

!(*) = {S,P} 

I(S) = {P, open P} 

I(P) = {inS, outS} 

where * denotes the group of the overall system (i.e. the top level). A somewhat 
less precise over-approximation of X, where extra elements are included, is 

!(*) = {S,P} 

I(S) = {P, S, inS, outS, openP} 

I(P) = {in S, outS} 

and it will turn out that this is the one that will be obtained using the simplest 
of our analyses (the OCFA analysis developed in this subsection) . □ 

Remark 3. The choice of the domain of X determines which kind of informa- 
tion the analysis can provide about a process and, consequently, what it cannot 
record. 

For example, with the choice of X as in Example 2 we can record whether an 
ambient or a capability is present inside some other ambient, but not the number 
of ambients and capabilities that are present. To get such information we will 
have to change the domain of the analysis estimate as done in e.g. [37,23,38]. 
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Furthermore, we can only records the presence of capabilities but not the 
order in which they appear. Thus, we do not capture the order in which capabil- 
ities are executed and cannot determine whether one capability is executed before 
another; in other words the analysis is not flow-sensitive. Adding sequences of 
capabilities have been studied in [23]. 

In the remainder of this paper we do not consider neither multiplicities nor 
flow-sensitivity. As we will see, even these “simple” analyses are able to give 
analysis estimates that are sufficiently precise to determine interesting security 
properties. □ 



Specification of the OCFA Analysis. In the above example we displayed 
the best value of I that one can hope for. In general this is not always possible 
since the problem of finding the best value of I is really undecidable due to 
the Turing completeness of Mobile Ambients. Hence we will have to settle for 
more approximate estimates saying that S may turn up inside P, whereas we 
shall never accept an estimate saying that P never turns up inside S. In terms 
of approximation this means that we opt for an over-approximation of the set 
of containments; this is illustrated in Figure 2. 

To make precise when an estimate I : Group — >■ P( Group U Cap) de- 
scribes an acceptable over-approximation of the behaviour of a process P under 
consideration we shall axiomatise a judgement 

I hr ^ 



meaning that I is an acceptable analysis estimate for the process P when it 
occurs inside an ambient from the group /r and whenever the ambients are in 
groups as specified by the type environment P (e.g. P{p) = P and P{A) = 
P{B) = S). The judgement is defined by structural induction on the syntax of 
the process P (as shown below). 

Analysis of Composite Processes. Each acceptable analysis estimate for a com- 
posite process must also be an acceptable analysis estimate for its sub-processes; 
perhaps more imprecise than need be. This is captured by the following clauses 
where P is the current type environment and * is the ambience i.e. the group 
associated with the enclosing ambient. 



I 

I 

I 

I 

I 

I 



h 

h 

h 

h 

h 

h 



P {vn: p) P 


iff 


^ Hr[«M-Ai] P 


update type env.; check process 


r {^A)P 


iff 


^ Hr[/ii->-o] P 


update type env.; check process 


*r0 


iff 


true 


nothing to check 


f Pi \P2 


iff 


I^*pPi A I hr P2 


check both branches 


*p \P 


iff 


PhrP 


check process; ignore multiplicity 


*pn[P] 


iff 


p G !(★) A I \=f P 


p is inside *; check process 






where p = P{n) 
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In the first clause we update the type environment with the type of the newly 
introduced name; in the second clause we update the type environment with a 
special placeholder o indicating a group name; in the last clause we ensure that 
the analysis estimate X records that the group of n occurs inside the ambience 
* and we analyse the internals of n in an appropriately updated ambience. 
Remark 4- Elaborating on the analogy to type systems explained above, one 
could coin the slogan: 

Flow Logic is the approach to static analysis that presents Data 
and Control Flow Analysis as a Type System. 

To make this more apparent we could formulate the first clause above as an 
inference rule „ „ 

X |=J, (vn\ P 

and similarly for the other clauses presented here. These formulations are equiv- 
alent^ whenever the judgement is defined by structural induction on processes. 
The formulation chosen here is perhaps more in the spirit of the equational 
approach of Data Flow Analysis. □ 

\r\- Capability. Each acceptable analysis estimate must mimic the semantics: if 
the semantics allows one configuration to evolve into another then it must be 
reflected in the analysis estimate. For the in-capability this is achieved by the 
following clause: 

X in n. P iff in /X G X{-k) A X P A 

V pP , pX : in /X G X{pp) A /x“ has the capability in/x 

G X{pX) A pf is the parent of /x“ 

fj, € X(pX) /i“ has a sibling /x 

=> /x“ G T(/x) /x“ may move into /x 

where pi = P{n) 

Here the first line records the presence of the actual capability and also analyses 
the continuation ~ this is in line with what happened for ambients above. The 
remaining lines model the semantics. To understand the formulation it may be 
helpful to recall the semantics of the in-capability as follows (writing n : pi to 
indicate that P(n) = pi and writing • : pi when the ambient name is of no 
importance for the analysis): 



^ For some applications of Flow Logic to programming languages with higher-order 
features this need not be the case and then the inference system presentation amounts 
to an indnctive definition rather than the desired co-inductive definition [29,39]; 
however, this subtle but important point will not be an issue in the present paper 
where the inductive definition turns out to coincide with the co-inductive definition. 
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The precondition of the universally quantified implication above recognises the 
structure depicted to the left of the arrow by querying if the relevant entries 
already are in I; the conclusion then records the only new structural ingredient 
depicted to the right of the arrow. 



Example 5. Let E be given by E{p) = P and E{A) = E{B) = S and let X be 
given by the second estimate in Example 2: 



!(*) = {S,P} 

I(S) = {P, S, in S, outS, open P} 

I(P) = {inS, outS} 



Checking that 
involves checking 
which holds because 



2 |=r A [p [out A. in B ] ] 
in S G I(P) and 



B [open p] 



in S G I(/x“) A G A S G ^ G I(S) 



holds for all non-trivial {pX.pP) G {(S, *), (S, S), (P, *), (P, S)}. 



□ 



Out- Capability. For the out-capability the clause is 



X outn. P iff out pL G X{-k) A X [=^ P A 
V fi°-, /X® : out fx G X{pL°-)/\ 

G X{pL) A 
/i G X{p,3) 

^ p,°- G I(/x®) 
where /i = P{n) 



pc has the capability out p 
p is the parent of p°‘ 
p^ is the grandparent of 
p°‘ may move out of p 



corresponding to the operational semantics: 




Example 6. Continuing Example 5, checking 



X A [p [out A. in B] ] | B [open p] 



involves checking 

X [=’J^ out A. in B 

which holds because X [^'^ in B (see Example 5) and outS G I(P) and 
outs G A G I(S) A S G X{p3) ^ /i“ G X{p<>) 

holds for all G {(S,*), (S,S), (P,*), (P,S)}. 



□ 
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Open -Capability. For the open-capability the clause is 



X open n. P iff open /i G X{-k) A X P A 
V pP : open pL G X{pp) A 
M G 

^ I(/x) C X{pP) 
where p, = P{n) 



yP has the capability open y 
/i is a sibling of open y 
everything in y may be in y^ 



corresponding to the operational semantics: 




Example 7. Continuing Example 5 and Example 6, checking that 
X A [p [out A. in B ]] | B [open p] 



involves checking 



X open p 

which holds because open P G 2i(S) and 



open P G X{yP) A P G I(S) I(P) C X{yP) 



holds for = S. □ 

This concludes the Flow Logic definition of the judgement X P in a style 
close to that of a type system. 

Example 8. Ensuring that the analysis estimate X of Example 5 is an acceptable 
analysis estimate for the entire process A [p [out A. in B] ] | B [open p] amounts 
to checking that 

X [=}- A [p [out A. in B] ] | B [open p] 

This involves checking the clauses for composite processes. The top-level parallel 
composition gives rise to the two checks that 

X [=Jn A [p [out A. in B]] and X [=^ B [open p] 

which, for the first part, leads to the checks that 

S G X{-k) and X [=1^ p [out A. in B] 

In turn, checking the clauses for composite processes leads to the checks of 
capabilities performed in Example 5, 6, and 7. Performing all the required checks 
we find that the analysis estimate X of Example 5 is indeed an acceptable analysis 
estimate for the OCFA analysis. □ 
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Pi 



P2 



Nr 



Nr 



Nr 



X X ■■■ X 

Fig. 3. Subject reduction: the analysis estimate remains acceptable under execution. 



Correctness of the OCFA Analysis. Although the specification of the judge- 
ment in the previous subsection was motivated by the transition relation it was 
not formally linked to it. To do so we take the rather natural approach, famil- 
iar from type systems, that the analysis estimate should not only describe the 
initial configuration in an acceptable way but it must remain acceptable under 
execution; then we know that all reachable configurations will be described by 
the analysis estimate. 

This is the “subject reduction” approach to correctness; it is illustrated in 
Figure 3 and formalised by the following theorem: 

Theorem 9. If I |=r P P Q P Nr Q- 

For the proof we first show that the analysis estimate is invariant under the 
structural congruence: 

If P = Q then I Nr P if only if I |=r Q- 

This amounts to a straightforward induction on the inference of P = Q. 

Next we prove that the analysis estimate is preserved under the transition 
relation: 

If P-)-Q and I\=r P then I \=*p Q. 

This amounts to a straightforward induction on the inference of P — >■ Q. 

Finally we prove the theorem by a simple numerical induction on the number 
of steps k in P — Q. 

Implementation of the OCFA Analysis. An abstract argument for why there 
always is a best acceptable analysis estimate borrows from abstract interpreta- 
tion [19,20,29]. The notion of “best estimate” means “least estimate” since we 
decided to opt for over-approximation and hence we are looking for a value of I 
that contains as few elements as possible. The abstract argument then amounts 
to the Moore Family result (or model intersection property in model-theoretic 
terminology): 

Theorem 10. For each P, the set {X \ X Nr P} ® Moore family; in other 

words: for each P, if y C {X \ X ]=^ P} then Nr P where (n3^)(^) = 

n{T(M) iiG3^}- 

The proof is by structural induction on P. We are interested in the Moore family 
property because a Moore family always contains a unique least element. Thus 
it follows that the least analysis estimate can be expressed as n{I | X Nr P} 
and in the world of type systems this corresponds to each process admitting a 
single principal type. 
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Table 3. Semantics of ALFP. 



(p> 


cr) = R (xi, 


,Xk) 




(crxi, 


, . . . ,a Xk) G pR 




(P,cr 


) \= -^R (xi, 


,Xk) 




(crxi, 


,...,axk) ^ pR 






(p, a)\=x 


= y 




ax = 


ay 






(p, cr) ^ X 


+ y 




ax ^ 


ay 






(p, cr) ^ pre^ A 


pre2 




(P,<x) 


^ prej and (p, a) ^ pre 2 






(p, cr) ^ pre^ V 


pre2 






1= prei or (p, cr) ^ pre 2 






(p,c-) h Vx 


: pre 


44 


(p, cr[x !->■ a]) ^ pre for all a i 






(p,cr) ^ 3x 


: pre 


44 


(p, cr[x !->■ a]) ^ pre for some 


d ^ lA 


(P> 


cr) = R (xi, 


,Xk) 


44 


(crxi, 


, . . . ,a Xk) G pR 






(P:cr) 


Ni 


44 


true 






(P><^) 


1= clausei A clause 2 


44 


(P,<x) 


1= clausei and (p, a) ^ clause 2 


(P,c 


r) 1= pre clause 


44 




\= clause whenever (p, a) 


N pre 




(p, cr) 1= Vx : clause 


44 


(p, cr[x 1 — >■ a]) \= clause for all 


d ^ lA 



The ALFP Logic. To actually compute the intended solution in polynomial time 
we shall follow a rather general and elegant method where the specification is 
translated into an extension of Horn clauses known as Alternation-free Least 
Fixed Point Logic (ALFP). This is a first-order logic where the set of formulae 
(or clauses), clause, and the set of preconditions, pre, are given by the following 
grammar (subject to a notion of stratification limiting the use of negation): 



pre 

clause 



R (xi , . . . , x/j,) 

prei A pre2 | 
R{xi, ...,Xk) 

pre clause 



I ^R{xi,...,Xk) I x = y I x^y 
pre^ V pre 2 | Vx : pre | 3x : pre 
I 1 I clausei A clause 2 | 

I Vx : clause 



Here i? is a fc-ary predicate symbol for fc > 0, and y,x,x\, . . . denote arbitrary 
variables, while 1 is the always true clause. (Since we shall not use negation in 
this paper we dispense with explaining the notion of stratification.) 

Given a universe finite U of atomic values and interpretations p and cr 
for predicate symbols and free variables, respectively, the satisfaction relations 
(p, cr) ^ pre for pre-conditions and (p, cr) ^ clause for clauses are defined in 
a straightforward manner as shown in Table 3. Note that the definitions for 
pre-conditions and clauses are similar for predicates R (xi, . . . , x^)), conjunction 
(a), and universal quantification (V). We view the free variables occurring in a 
formula as constant symbols or atoms from the finite universe U. Thus, given 
an interpretation cr of the constant symbols, in the clause clause, we call an 
interpretation p of the predicate symbols a solution provided (p, cr) \= clause. 



Implementation Using ALFP. Calculating a least analysis estimate is done by 
finding the least solution to an ALFP clause that is logically equivalent to the 
specification of the analysis. The calculation of the least solution p is done auto- 
matically using our Succinct Solver [35]. Recall that being the least interpretation 
means that it contains as few elements as possible while still being acceptable. 
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In the specification of an analysis we are free to use any mathematical no- 
tation, while in the implementation we are limited by what we can express in 
ALFP. For simple powerset based analyses, such as the ones considered in this 
paper, the transformation from the specification to ALFP is relatively straight- 
forward. For the analysis considered here the following transformations suffice: 

— The mapping X : Group — > P( Group U Cap) is encoded as a binary predi- 
cate of sort Group x (Group U Cap). 

— Correspondingly, set membership such as pf € X{p) is written as I{pL,p!). 

— Subset relations such as X{p) C X{pi') are written by explicitly quantifying 
the elements in the first set: Vm : X{p,, u) ^ X{fi' , u). 

— All groups /i and group capabilities in/x,out/r, and open /i are elements in 
the universe IA\ for a given process this universe will be finite. 

It is straightforward to establish a formal relationship between the specifica- 
tion and the implementation by giving a mapping (actually an isomorphism) 
between the two representations of X and showing that the specification and the 
implementation are logically equivalent under this mapping. 

We apply the above encodings systematically to the specification of the anal- 
ysis thus getting a new formulation from which we can generate ALFP clauses 
for any given process P. The analysis of composite processes remains unchanged 
except for the analysis of the ambient construct, which is changed into: 

I hr ^ [P] iff 2i(*, m) a I hr -P 

where p, = P{n) 

That is, the set membership is now written X(-k,p). Similarly, the analysis of 
the capabilities are changed and in the case of open p (where subset is used) the 
clause becomes: 

X hr open n. P iff I(*, open p) AX hr P ^ 

V pP : X{pP,open p) A 
X{pP,p) 

Vm : X{p, u) X{pP, u) 
where p = P(ji) 

The rules for in- and out-capabilities are obtained in an analogous way. 

Example 11. Finding the least analysis estimate for the OCFA analysis of the 
process 

A [p [out A. in B]] | B [open p] 

with P given by F(p) = P and F(A) = P{B) = S now amounts to finding the 
solution to the ALFP clause: 

I(*,S) A 
I(S,P) A 
I(P, outS) A 

(V^i“, : 1(/r“, out S) A I(S, /x“) A X{pS , S) 

^I(/ihM“)) A 



Ambient A 
Ambient p 
Capability out A 
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I(P, in S) A Capability in B 

(V/x“, fiP : in S) A m“) A S) 

^I(S,m“))A 

I(*, S) A Ambient B 

I(S, open P) A Capability open p 

{\^^JP : I{fiP, open P) A I{fj,P, P) 

^yu:I(F,u) ^I{^j.P,u)) 

The resulting least solution I which satisfies the clause is: 

I : (*, S), (S, P), from ambients 

(P, out S) , (*, P) , from out 

(P, in S), (S, S), from in 

(S, open P), (S, outS), (S, in S) from open 

This corresponds to the solution displayed in Example 5. □ 

The solution of an ALEP clause can be found in polynomial time in the size 
of the universe i.e. in the number of groups and capabilities. This complexity 
is due to a generalisation [35] of a meta-complexity result for Horn Clauses by 
McAllester [25], which states that: 

— The time needed to compute a solution is asymptotically the same as the 
time needed to check the validity of an estimate. 

— The degree of the complexity polynomial is dominated by one plus the nest- 
ing depth of quantifiers occurring in the clause. 

Consequently, the complexity bound can sometimes be improved by reformulat- 
ing the clause to reduce the amount of quantifier nesting. Rather than improving 
formulae using a general transformation scheme, like the use of tiling to reduce 
quantifier nesting [36], or automatically estimating the run-time [32], we take 
the more pragmatic, and more precise, approach of estimating the run-time em- 
pirically [7], and use this as a basis for transforming the clause so as to improve 
its running time [7]. 

A result of such an experiment is shown in Figure 4. Here the analysis has 
been run on a number of processes with the same overall structure where a packet 
is routed through a grid oi mxm sites. The actual time that the Succinct Solver 
spends on computing a solution is plotted against the size of the process. 

The plot is shown using logarithmic scales on both axes so that a power 
function shows up as a straight line. A crude least-squares estimate of the degree 
of the complexity polynomial is displayed in the legend of the plot and we see 
that the solving times are linear in the size of the process being analysed. This 
is typical for most processes, though the analysis in some cases runs in time that 
is quadratic in the size of the process. 

Remark 12. We already said that for ALEP the time needed to compute the least 
solution is asymptotically the same as the time needed to check the acceptability 
of an estimate. Elaborating on the analogy to type systems explained above, one 
could then coin the slogan: 
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OCFA for Mobile Ambients 




Process size (N) 

Fig. 4. Estimating the complexity empirically. 



ALFP-based Flow Logic studies a class of simple Type Systems 
where type checking and type inference have the same asymptotic 
complexity. 

In the absence of principal types this is quite different from type systems based 
on subtyping where type checking usually takes polynomial time but where type 
inference often would seem to require non-deterministic polynomial time (in 
practise exponential time) due to the need to search for the right types. □ 

2.3 Crossing Control and Opening Control 

The analysis not only approximates the hierarchical structure of the ambients 
but also the access operations that an ambient may possess. This facilitates 
validating the following security properties [12]: 

— Crossing control: may an ambient m cross the boundary of another ambient 
n either by entering it (using in-capabilities) or by exiting it (using out- 
capabilities)? 

— Opening control: may an ambient n be dissolved by another ambient m (using 
open-capabilities)? 
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In each case we proceed as follows: 

— First, we describe the desired property dynamically, i.e. we express it using 
the concepts and notation of the reduction semantics. 

— Second, we describe the property statically, i.e. we re-express it using the 
concepts and notation of the static analysis. 

— Third, we show the semantic correctness of these formulations: that the static 
formulation of the property implies the dynamic formulation. 

— Finally, we argue that the test can be performed by means of the techniques 
used for implementing the analysis, which in our case means that the static 
properties can be determined in polynomial time. 

Crossing Control. The dynamic notion amounts to saying that an ambient n 
can cross the ambient n' during the execution of a process P whenever in some 
reachable configuration n executes the in n' or the outn' capability. This can be 
reformulated in terms of groups: 

Definition 13 (Dynamic Notion of Crossing). Ambients of group p, can 
cross ambients of group p' during the execution of P whenever 

1. P — >■* Q, 

2. some ambient n in Q contains an executable capability in n' or an executable 
capability outn' , and 

3. n is of group p and n' is of group p' . 

We could choose to define the dynamic notion both with and without groups but 
we shall focus on the former since it more directly relates to the static notion 
studied below. 

The static notion is expressed in terms of the OCFA analysis. It amounts to 
saying that ambients of group p may cross ambients of group p' during the exe- 
cution of P whenever the precondition in the clause for in-capabilities is satisfied 
or the precondition in the clause for out-capabilities is satisfied. To express this 
in a succinct manner we decide to introduce an “observation predicate”, named 
V for dynamics, to keep track of the capabilities recorded by I that may actually 
execute according to the analysis. We let 21 be a mapping V : Group -4 V{Cap) 
and modify the clauses for in and out to read: 

{I,V) inn. Piff in pGl{*) A {I,V) P A 

V p°-, pP : \n p G I{p°-) A 

p^ G I{pP) A 
p G I{pP) 

^ p°- G X{p) A \n pG 21(^“) 
where p = P(n) 

(1,21) outn. P iff out p G I(P) A (T, 21) \=p P A 

V p°~,p^ : out p G I(/x“)A 

G I{p) A 
p G T{pS) 

^ p°^ G T{pO) A out /X G 21(/x“) 
where p = P{n) 
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Using the information in the “observation predicate” T> the static notion of 
what it means for an ambient to cross the boundary of another ambient can be 
defined as follows: 

Definition 14 (Static Notion of Crossing). Ambients of group p. possibly 
may cross ambients of group p' during the execution of P whenever 

\np'G'D{p) V out p'g'D{p) 

for the least I and V such that (1,21) \=*p P. 

This static condition is checkable in polynomial time. 

Example 1 5. With respect to P and X as displayed in Example 5 the least esti- 
mate for the modified analysis will produce a relation T> that contains exactly 
the same capabilities as recorded in I; i.e. 'ip : V{p) = X{p) fl Cap. Hence the 
analysis can be used to validate (where “will never” is the negation of “possibly 
may”): 

— Ambients of group P possibly may cross ambients in group S; 
because in S G 21(P) V outS G 21(P). 

— Ambients in group S will never cross ambients in group P; 
because inP ^ T>(S) A outP ^ 21(S). 

It is interesting to observe that a more precise analysis is needed to validate 
that ambients of group S will never cross ambients in group S since we do not 
have that inS^21(S)AoutS^21(S). And indeed, we also have S G I(S) indicating 
that as far as the analysis can see, some ambient of group S may turn up inside 
some ambient of group S. □ 

The correctness of the static test with respect to the dynamic semantics is 
formally expressed as follows: 

Theorem 16 (Crossing Control). 

1. If ambients of group p can cross ambients of group p' during the execution 
of P then ambients of group p possibly may cross ambients of group p' 
during the execution of P. 

2. If ambients of group p will never cross ambients of group p' during the 
execution of P then ambients of group p cannot cross ambients of group 
p' during the execution of P. 

The proposition is a corollary of the subject reduction result (Theorem 9); also 
note that the second statement is the contrapositive version of the first statement 
(and hence that they are logically equivalent). 

Opening Control. The dynamic notion amounts to saying that an ambient n 
can open the ambient n' during the execution of P whenever some n executes the 
open n' capability in some reachable configuration. Again we define the notion 
in terms of groups. 
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Definition 17 (Dynamic Notion of Opening). Ambients of group p. can 
open ambients of group p! during the execution of P whenever 

1. P — >■* Q, 

2. some ambient n in Q contains an executable capability open n' , and 

3. n is of group p, and n' is of group p' . 

The static notion is once again expressed in terms of the OCFA analysis. 
It amounts to saying that ambients of group p may open ambients in group 
p' whenever the precondition in the clause for open-capabilities is satisfied. As 
before we use a modified clause for extracting the “executable” capabilities in V-. 

(1,21) openn. P iff open p G !(:*:) A (T, 21) \=*p P A 
V pP : open p G I{pP) A 
p G I{pP) 

P{p) C I{pP) A open p G P{p^) 
where p = P{n) 

and the static property can be defined accordingly: 

Definition 18 (Static Notion of Opening). Ambients of group p possibly 
may open ambients of group p' during the execution of P whenever 

open p' G V{p) 

for the least I and V such that (T, 21) \=*p P. 

As before the condition is checkable in polynomial time. 

Example 19. With respect to P, X and V as given in Examples 5 and 15, respec- 
tively, the analysis can be used to validate that ambients of group S possibly 
may open ambients in group P, because open P G 21(S), and that ambients in 
group P will never open any ambients, because V/i : open p ^ 21(P). □ 

Theorem 20 (Opening Control). 

1. If ambients of group p can open ambients in group p' during the execution 
of P then ambients of group p possibly may open ambients in group p' 
during the execution of P. 

2. If ambients of group p will never open ambients in group p' during the 
execution of P then ambients of group p cannot open ambients in group 
p' during the execution of P. 

As before this is a corollary of the subject reduction result (Theorem 9). 

3 Discretionary Access Control 

The notion of discretionary access control originates from operating systems 
where it is used to define a reference monitor for governing the access operations 
(typically read, write and execute) that active subjects (typically programs or 




Security for Mobility 227 



users) can perform on passive objects (typically files or external devices). The 
reference monitor is then implemented as part of the operating system. Although 
traditionally implemented as access control lists, often based on grouping users 
into three layers (the user, a group of users, all users), conceptually the specifi- 
cation of access control takes the form of a matrix [22] : 




the operations a 
subject may perform 
on an object 



When adapting discretionary access control to Mobile Ambients we should re- 
think the concepts of subject, object and access operation. It seems very natural 
to let the access operations be the basic capabilities (in, out and open) of Mobile 
Ambients since the notions of read, write and execute are indeed the basic op- 
erations of a traditional operating system. Then subjects and objects will both 
be ambients; the subject will be the ambient containing the capability and the 
object the other ambient involved (typically the one being moved into or being 
moved out of). 

Safe Ambients [24] extend Mobile Ambients to deal with discretionary access 
control. Since it is not in the distributed nature of Mobile Ambients to have 
a single global access control matrix it is implemented as access rights, or co- 
capabilities, placed inside the objects. Syntactically this leads to modifying the 
syntax of Mobile Ambients as follows: 



P ■.■=■■ ■ as before • • • 



M ::= in n \ out n j open n capabilities « access operations 

j in n 1 but n ] open n co-capabilities « access rights 

A transition only takes place if a capability of the subject is matched by a 
corresponding co-capability in the object: 

— If m wants to move into n then n should be willing to let ambients enter; 
i.e. n must have the co-capability in n: 



m 

in n.P I Q 



n 

in n.R S 






m 

P\Q 


R 1 S 









— If m wants to move out of n then n should be willing to let ambients leave; 
i.e. n must have the co-capability out n: 



m 




m 


n 


outn.P Q 




out n.R \ S 




P\Q 






R 1 S 









n 
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— If m wants to dissolve n then n should be willing to be dissolved; i.e. n must 
have the co-capability open n: 



open n.P 



n 



open n.Q \ R 



P \ Q \ R 



This amounts to integrating the reference monitor into the semantics i.e. the 
transition relation. 



3.1 Syntax and Semantics of Discretionary Ambients 

Discretionary Ambients goes one step further in giving an account of discre- 
tionary access control that is as refined as illustrated by the access control ma- 
trix above. We do so by augmenting co-capabilities with a subscript indicating 
the group of ambients permitted to perform the corresponding capability: 

P:-.= {uyL)P I {vn:yL)P | 0 | Pi | P2 I I n[P] \ M.P 

M ::= in n \ out n \ open n | in^n | duf^n | open^n 

Hence the basic transitions need to be determined relative to a type environment 
P mapping ambient names to groups; below we write n : /x to indicate that 
P{n) = n- 

— For the in-capability we have 



so n is willing to let ambients of group /x enter. 







1 Ta 


in^ n.R S 






P\Q 





m : II 

in n.P I Q 



— For the out-capability we have 
n 



m : u 




m 


n 


out n.P Q 




out^j n.R 1 S 




P\Q 






R 1 S 









so n is willing to let ambients of group /x leave. 



— For the open-capability we have 




so n is willing to be dissolved within ambients of group /i. 
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Table 4. Transition relation for Discretionary Ambients. 



r[pi 1-^ o] h p — >■ Q 
r h {ufj,)P — >• {ufj,)Q 


P[n 1 — >■ /i] h P — >■ Q 


if p G dom(P) 


P h (nn : p)P — >■ (nn : p)Q 


r\- p^Q 


P h m[in n. P 1 Q] 1 n\m^n. R \ 


S] 




P h n[P] n[Q] 


n[m[P 1 g] 1 P 1 P] 


if P{m) 


= A 


rh p-M? 


P h n[m[out n. P 1 g] 1 out^n. P | S] 




P 1- P 1 P-^ Q 1 P 


m[P 1 g] 1 n[P 1 S] 


if P{m) 


= A 


P = P' P h P' Q' Q' = Q 


P h m[open n. P | n[open^n. Q 


\R]] 




P h P Q 


^ m[P 1 g 1 P] 


if P{m) 


= A 



The semantics of Discretionary Ambients is a straightforward extension of the 
semantics of Mobile Ambients. It consists of the structural congruence relation, 
P = Q, defined in Table 1 and the transition relation, T h P — >■ Q, defined in 
Table 4. Here P is a type environment mapping names to groups and groups to 
the special token o. 

Example 21. We may express the process of Figure 1 in Discretionary Ambients 
as follows: 

A[p[out A. in B.openg p] | outpA] | B[inpB.open p] 

where we assume that P(A) = P(B) = S and P(p) = P i.e. that the sites A and 
B are in the group S and the packet p is in the group P. The packet may move 
out of A since it has the capability out A and furthermore A grants it the right 
to do so because it has the co-capability outpA (and exploiting that p is in the 
group P). So in the first step the system may evolve into: 

A[] I p[in B.openg p] | B[inpB.open p] 

Now p has the capability to enter B and B has the co-capability to let it do so; 
the system becomes: 

A[] I B[p[opehgp] I open p] 

In the final step B has the capability to open p and p grants it the right to do 
so since B is in the group S and we then obtain: 

A[]|B[] 



as the final configuration. 



□ 



Remark 22. The classical Mobile Ambients do not support access control: an 
object has no way of restricting which operations the subjects may perform on 
it. Safe Ambients [24] allows to model a very rudimentary form of access control 
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as the objects may use the co-capabilities in n, out n and open n to control which 
operations they engage in. However, the possession of one of these co-capabilities 
gives access to any subject with a corresponding capability; there is no way of 
allowing some subjects but not others to perform the operation. Discretionary 
Ambients models the more general form of access control corresponding to the 
classical developments because the co-capabilities put restrictions on the subjects 
allowed to perform the operations. 

The difference can be illustrated for the running example where the access 
control matrices could be viewed as being: 

Safe subject Discretionary subject 



Ambients 


A 


B 


p 


Ambients 


A : S 


B : S 


p : P 


A 

object ^ 

P 


out A 
in B 
open p 


out A 
m B 
open p 


out A 
m B 
open p 


A 

object ^ 

P 


opens P 


opens P 


outp A 
inp B 



Note that for Safe Ambients columns must necessarily be equal. 

Compared to the classical setting the access control matrices in Discretionary 
Ambients are much more dynamic structures that may evolve as the process ex- 
ecutes. This is due to the fact that co-capabilities vanish once they have been 
used. If we want to model the classical setting more faithfully we should therefore 
always use co-capabilities that are individual threads and prefixed with the repli- 
cation operator: e.g. ! inp B will continue to grant subjects of group P permission 
to enter the ambient B as many times as needed. □ 

3.2 Adapting the OCFA Analysis to Discretionary Ambients 

To adapt the OCFA analysis to deal with Discretionary (or Safe) Ambients we 
must modify the functionality of I to record 

— as before: which ambient groups may be inside an ambient in group fx, 

— as before: which access operations (capabilities) may be possessed by an am- 
bient in group /r (as subject), and 

— additionally: which access rights (co-capabilities) may be possessed by an 
ambient in group /x (as object). 

Hence we shall use 



I : Group — > P (Group U Gap U Cap) 

where capabilities and co-capabilities are given by: 

capabilities m G Cap m ::= in /x | out ^ \ open /x 

co-capabilities m G Cap fn ::= in^/ /x | out^/ fx \ open^/ fx 

We shall find it useful also to incorporate the observations T> as discussed in 
Subsection 2.3 and thus have: 



T> : Group — !■ P(Cap U Cap) 
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Specification of the Adapted OCFA Analysis. It is straightforward to 
adapt the specification of the OCFA analysis from Section 2.2 to deal with Dis- 
cretionary Ambients. In particular no changes are needed for the analysis of the 
composite processes. 

For co-capabilities we simply record the presence of the co-capability much 
as was the case for ambients: 

(1,2?) in^a n. P iff in^a^ G I(*) A (1,2?) \=*p P 
where fj, = P{n) 

(1,2?) but^a n. P iff buf^a^ G I(*) A (1,2?) |=J, P 

where /x = F(n) 

(1,2?) \=*p open^p n. P iff open^p^ G I(*) A (1,2?) \=*p P 

where /x = F(n) 

For capabilities we need to add one conjunct in each precondition that ensures 
that the capability is matched by a corresponding co-capability: 

(1,2?) ^*p inn. P iff in /x G !(*) A (1,2?) ^*p P A 

V /x“, : in ^ G I(/x“) A /x“ G I(^p) A fi G I(/xP) A 

in^a/x G 2i(/x) fx provides the access right to /x“ 

/x“ G I(fx) A in ^ G 2?(^“) A in^a/x G 2?(/x) 
where /x = P(n) 

(1, 2?) out n. P iff out GZ{-k) A (1, 2?) |=J. P A 

V /x“, fj,^ : out ^ G I(/x“) A G I(/x) A ^ G I(/x®) A 

out^a^ G 2i(/x) /i provides the access right to /x“ 

^ /x“ G I(axP) a 

out /X G 2?(/x“) A but^a/x G 2?(^) 
where /x = P(n) 

(1, 2?) open n. P iff open /x G T{P) A (1, 2?) P A 

V : open /x G 2i(fx^) A /x G 2i(fxP) A 

open^p/x G 2i(/x) /x provides the access right to jP 

C I(^P) A 

open ^ G 2?(^P) A open^p/x G 2?(/x) 
where fj, = P(n) 

Here 2? records capabilities and co-capabilities whenever they may be executed. 

Example 23. Continuing Example 21 we take P to be as before (i.e. P(p) = P 
and P(A) = P(B) = S) and obtain the following best estimates of I and T> of 
the OCFA given above: 
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IW = {S, P} _ _ 

I(S) = {P, inS, outS, openP, inp S, outp S, opetTg P} 

I(P) = {in S, out S, opetTg P} 

P(*) = 0 

V(S) = {openP, inp S, outp S} 

2?(P) = {inS, outS, openg P} 

The notion of crossing control from Section 2.3 can easily be adapted to the set- 
ting of Discretionary Ambients. Now the analysis finds that ambients of group S 
will never cross ambients of group S since inS ^ 2?(S) and outS ^ 2?(S). This is 
unlike what was the case for the analysis of Mobile Ambients in Example 15. □ 



Remark 24- Clearly the analysis can be simplified to deal with Safe Ambients, 
rather than Discretionary Ambients, although with a loss in precision. This is 
done by “ignoring” the groups in the co-capabilities in the specification of the 
analysis above. Continuing Example 23 we can express the system in Safe Am- 
bients by omitting the subscripts to the co-capabilities: 

A [ p [ out A. in B. open p ] | out A ] | B [ in B. open p ] 

When we apply the (modified) analysis from above to this process, however, 
the best analysis estimate will resemble the one found for Mobile Ambients in 
Example 15 and is no longer able to ensure that ambients of group S cannot 
cross ambients of group S. □ 

Correctness of the Adapted OCFA Analysis. The correctness of the anal- 
ysis for Discretionary Ambients is still a “subject reduction” result saying that 
the validity of an analysis estimate is preserved during execution: 

Theorem 25. If (T, T’) \=r P and P \- P — >•* Q then {I,V) (=r Q- 

Implementation of the Adapted OCFA Analysis. The Moore Family prop- 
erty still ensures that all processes admit a least analysis estimate: 

Theorem 26. The set {{T,V) \ {T,V) P} is a Moore family. 

Also the implementation in ALEP proceeds exactly as in Section 2.2. 

Precision of the Adapted OCFA Analysis. The OCFA analysis of Discre- 
tionary Ambients seems to be more precise than the corresponding OCFA analysis 
of Mobile Ambients. An occurrence of this phenomenon is Example 23 where the 
analysis of Discretionary Ambients reveals that ambients of group S will never 
cross ambients of S; on the other hand the analysis of the Mobile Ambients 
version of the same process in Example 15 is not able to give the same precise 
result. 

The better precision can be ascribed to the extra information that co-capa- 
bilities give about the behaviour of the process. This extra information allows for 
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additional constraints on the analysis result, which in turn makes the analysis 
more precise. For example, accumulated errors where one “incorrect element” in 
the solution gives rise to several more incorrect elements are less likely to occur 
because it is improbable for an incorrect element to fulfil the extra constraints 
inferred by the co-capabilities. 

Example ^ 7 . The analysis gains precision by the way access control is added to 
the processes. Consider for example the process: 

a[] I b[] I c[b[in a]] 

which is analysed in a type environment where T(a) = A, F(b) = B, and 
r{c) = C. When analysed with the OCFA analysis for Mobile Ambients we get 
the correct but imprecise result Ii indicating that that b may turn up inside a. 



={A,B,C} 


I2W ={A,B,C} 


l3(x) ={A,B,C} 


Ii(A) = {B} 


12(A) = 0 


213(A) = |inBA,B} 


Ii(B) = {in A} 


12(B) = (in A} 


13(B) = (in A} 


Ii(C) = |B} 


12(C) = |B} 


13(C) = |B} 



Suppose that we add access rights to the above process in order not to allow b to 
enter a. In that case, we do not add any co-capabilities and the process above is 
just viewed as a Discretionary Ambient process. The analysis result I2 found us- 
ing the OCFA analysis of Discretionary Ambients, however, now correctly shows 
that b cannot show up inside a. 

Suppose on the other hand that we add access rights in order to allow b to 
enter a. Then we add the co-capability irisa and get the process: 

a[iriBa] | b[] | c[b[in a]] 

Now, we get the analysis result I3 that imprecisely shows that b can turn up 
in a. We conclude that the additional precision strongly depends on how access 
rights are added. □ 

3.3 A Context-Sensitive ICFA Analysis 

In preparation for the study of mandatory access control in the next section we 
shall now develop a more precise analysis of Discretionary Ambients. Instead 
of merely recording the father-son relationship it takes the grandfather into 
account and directly records the grandfather-father-son relationship by means 
of a ternary relation. 

As before the analysis approximates the behaviour of a process by a single 
abstract configuration that describes all the possible derivatives that the process 
may have. It distinguishes between the various groups of ambients but not be- 
tween the individual ambients. Unlike before the analysis is context-sensitive in 
keeping track of the grandfather relevant for the father-son relationship. Hence 
the analysis represents the tree structure of the processes by a ternary relation 



X : Group x Group — P(Group U Gap U Gap) 
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SO that Us G 21(/ig,/x/) means that /is is a son of /i/ while at the same time /i/ 
is a son of /ig. In a similar way the “observation predicate” becomes a ternary 
relation 

V : Group x Group — > V{Cap U Cap) 

Example 28. For the running example of Example 21 we may use the following 
definition of X. Here T is the father of *, i.e. T is the grandfather of the top-level 
ambients in the process being analysed. The entries specify the set of sons with 
a given combination of grandfather and father: 



grandfather 



X 


T 


~k 


S 


P 


f X 


{P,S} 








? s 

h 




{P, in S,out S,open P, 
inpS, outpS, opengP} 






% P 




{in S, out S, opengP} 


(in S,out S, opengP} 





To be more specific, the fragment p[out A. in B.openg p] will give rise to in S G 
I(S,P), out S G I(S,P), opetTgP G I(S,P) as shown above. We shall come back 
to T> in Example 29. □ 

Specification of the ICFA Analysis. The judgement of the analysis takes 
the form 

(I, V) h p 

and expresses that X and X) are safe approximations of the configurations that 
P may evolve into when ambient names are mapped to groups as specified by 
P and when T and * are the ambient groups of the grandfather and father, 
respectively. 

Analysis of Composite Proeesses. It is rather straightforward to adapt the clauses 
for analysing composite processes: 



(I,P) 




{vn : p)P iff 


{X,V) 


p 

1 r[rn-^lj] 


(X,V) 


1 <T.*) 
Pr 


{vp)P 


iff 


iX,V) 


L{~r,*) p 

Pr[M^o] ^ 


iX,V) 


1 r,*> 
Pr 


0 


iff 


true 




iX,V) 


1 <T.*> 

Pr 


Pi 1 P2 


iff 


{X,V) 


Pi A 


iX,V) 




\P 


iff 


iX,V) 


^P.*> p 


iX,V) 




n[P] 


iff 


/r GI(T,*) a {X,V) P 



where p, = P{n) 



The only modification worth observing is the change of ambience in the final 
rule: the father x now becomes the grandfather and the ambient p now becomes 
the father when analysing the process P. 
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Analysis of Co- capabilities hardly requires any changes: 

{X,V) iff G I(T,*) A {X,V) P 

where p! = P{n) 

{X,V) dut^n.P iff dut^Ai' G X{T ,-k) A {X,V) P 

where p! = P{n) 

{X,T>) open^n. P iff open^^' G X{T ,-k) A {X,T>) P 

where p! = P{n) 

Analysis of Capabilities require a number of changes; we begin with the in- 
capability (explained below): 

{X,V) in n.P iff 

A {X, V) P A 

\n fi G X{/j,P , A pL°- GX{pP,p) A 

p. GX{p,‘i,p,P) A m pGV{pP,p°-) A 

\x\^,ap GX{pP,p) \ \_\x\f,apGV{pP,p) 

where p = P{n) 

Recall that the semantic rule is: 




As before the first step is to identify a potential redex: 

— in ^ G X{pP,p°-) ensures that the in n capability is present inside some am- 
bient m; here n has group p and m has group p°' whereas pP is the group of 
m’s father. 

— p°‘ G X{p‘‘,pP) establishes more of m’s (i.e. /x“’s) context: its father is pP 
and its grandfather is /x®. 

— p G X{p'^, pP) will now ensure that n (i.e. p) is a sibling of m: it has the same 
father pP and grandfather p^. 

— \rifj,ap G X{pP,p) finally ensures that n (i.e. p) grants the access right to m 
(i.e. p°‘) in the context established by the father pP of p. 

In addition to identifying possible n’s and m’s of the semantic rule these steps 
also identify the context of the redex and thereby rule out some of the confusion 
that is inevitable when the ambient names are replaced by groups. 

Having identified a potential redex in this way the next step is to record in 
X the effect of reducing the redex. This is expressed by: 
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— /x“ G records that m (i.e. is moved into n (i.e. fj,} and this hap- 

pens only when fj,^ is the father. 

— C I(/i, records that everything inside n°' with grandfather 
(the processes P and Q in the semantic rule) as a result of the reduction 
also may have grandfather /i. 

Note that the latter step is considerably more involved than in the OCFA analysis 
due to the need to update the context of all entities moved. Finally we need to 
update the “observation predicate” T>: 

— in /X G records that the in-capability was executed. 

— in^a/x G V{ijP,y) records that the in-co-capability was executed. 

The out-capability follows much the same pattern 

{I,V) out n.P iff 

out(^) G I(T,*) A (X,V) P A 

out(/x) G I(/x, A /x“ G A 

w,,a ,,g ,,9 . A I(AX,/x“) A 

v/i A ^ out(/x) G m“) A 

[but^a^ G J G 25(^9,^) 

where ^ = P{n) 




corresponding to the semantics: 




Also the open-capability follows much the same pattern 
(1,2?) open n.P iff 

open /i G I(T,*) A (T, 2?) P A 

open II G , fiP) A I{iP,ii) QX{iP,iP) A 
MlP^lP-. /X G A ^ open /:x G 2?(/x«, /x^) A 

\p^^,pH&X{iiP,ii) \ [opeh^p/x G 2 ?(/xP,ax) 
where /x = P{n) 

corresponding to the semantics: 
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Example 29. Consider the analysis of our running example of Example 21 (again 
taking r(A) = r(B) = S and E(p) = P): 

(1,2?) A [ p [ out A. in B. openg p ] | outp A ] | B [ inp B. open p ] 

This formula will be satisfied when X is (as in Example 28) 



grandfather 



X 


T 


-k 


S 


P 


'k 


|P,S} 








s 




(P, in S,out S,open P, 
inpS, outpS, opengP} 






p 




(in S,out S,opengP} 


(in S,out SjOpengP} 





and T> is given by: 



f 

a 

t 

h 

e 

r 



grandfather 



2? 


T 


■*: 


S 


P 


kr 










S 




(in S, open P, 
inpS, outpS} 






P 




(in S} 


(out S, opengP} 





One may observe that V{- • • ) is often a strict subset of X{- • • ) 0 (Cap U Cap). 
This shows that a number of capabilities will never occur in a setting where they 
are allowed to execute. In particular, even though I(*, P) contains out S as well 
as opehgP, they are absent in 2?(*, P) and hence cannot execute. □ 



Correctness of the ICFA Analysis. The semantic correctness of the analysis 
is expressed by the following subject reduction result: 

Theorem 30. If (1,2?) P and E h P Q then (1,2?) Q. 

As before the proof is by induction in the length of the derivation sequence; each 
step is by induction on the inference in the semantics and uses that structurally 
congruent processes admit the same analysis results. 

Implementation of the ICFA Analysis. The Moore family property ensures 
that all processes can be analysed and admit a least analysis estimate: 

Theorem 31. The set {(1,2?) | (T, 2?) P} is a Moore family. 

Though the analysis is more complex that the OCFA analysis it is still ex- 
pressible in ALEP using the encodings described in Section 2.2. Hence, the imple- 
mentation is again done using the Succinct Solver. However, the time complexity 
of the calculation of the analysis result for the ICFA analysis is higher than that 
of the OCFA analysis although still within polynomial time. We report in Table 5 




238 Hanne Riis Nielson, Flemming Nielson, and Mikael Bnchholtz 



Table 5. Running times for OCFA versus ICFA on four scalable test processes. 





A 


B 


C 


D 


OCFA 

ICFA 


O(iVl03) 

0(iVl-98) 


0(Ai“®) 

0(At2-°°) 


0(AT3-34) 


0(AT1'22) 

0(AT2.01) 


Size of 

Group 


0{N^) 


0(Ai) 





on some practical experiments where the time spent for computing the analysis 
result is expressed in terms of the size N of the process for four scalable test 
processes. The test processes describe a packet being routed though a network 
of sites with different network topology. 

One reason for the higher complexity of the ICFA is that the size of the 
analysis estimate for the ICFA potentially is larger than size of the analysis esti- 
mate for the OCFA by a factor corresponding to the number of groups in Group 
(i.e. the potential number of elements in Group x Group — >■ P (Group U CapU 
Gap) versus Group — >■ P(Group U Gap U Cap)). The results for the first two 
test processes, A and B behave exactly as expected. This is also largely the case 
for the last test process, D, taking into account that the number of groups here 
is not linear in the size of the process. The odd-one-out is the result for the 
test process C; here we conjecture that the ICFA analysis is more costly than 
expected because the lower number of groups means that many ambients get 
mixed up, i.e. that many more contexts have occurrences of the same group. 
Thus the precision of the ICFA is outweighed by the imprecision of the group 
information. 

Precision of the ICFA Analysis. The ICFA analysis is more precise than 
the OCFA analysis in that it records more of the context in which capabilities 
can be used. 

Example 32. Recall the process of Example 27 

a[iriBa] | b[] | c[b[in a]] 

where the OCFA of Discretionary Ambients imprecisely finds that b may enter a 
(as shown by Z 3 of Example 27). 

The ICFA analysis gives rise the least estimate I: 



I 


T 


k: 


A 


B 


C 


'k 


{A,B,C} 










A 




{insA} 








B 










{in A} 


C 




{»} 









It shows that the ICFA analysis is able to record that the capability in a is not 
inside b in a context where b is actually a sibling to a. Thus, the analysis result 
show that b will not show up in a. □ 
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secret {staff, guest} 




{staff} {guest} 




public 0 



(secret, {staff, guest}) 



(secret, {staff}) - 



(secret , { guest } ) 



I (secret, 0) ' 

(pub|ic.,^taff,guest[} ) 



(public, {staff}) 

(public, 0) 




(public, {guest}) 



Fig. 5. Example security lattices for confidentiality. 



4 Mandatory Access Control 

The aim of this section is to show how the Bell-LaPadula [3,22] and Biba [4,22] 
models can be reformulated for Discretionary Ambients and thereby to construct 
the appropriate reference monitor semantics. The first design decision is to assign 
security levels/integrity levels to the groups rather than the ambients; an ambient 
then inherits the level of its group. We shall therefore extend the syntax of group 
introduction to have the form meaning that /i has the level It is now 

straightforward to extend the semantics to map groups to security/integrity 
levels; the key rule is: 

r[fi^ e^'r p ^ Q 

The security/integrity level information is then used in formalising reference 
monitors in the spirit of the Bell-LaPadula and Biba models; this is covered in 
the following subsections and takes the form of defining augmented semantics 
with judgements of the forms T h P — »• Q. We shall allow to write — »blp and 
— »Biba to differentiate between the two choices. 

4.1 Confidentiality: The Bell-LaPadula Model 

Dynamic Formulation of the Bell-LaPadula Model. The Bell-LaPadula 
security model [3,22] is expressed using an access control matrix and an assign- 
ment of security levels to objects and subjects; the security levels are arranged 
in a lattice (L, <) where < £2 means that has a lower security level than 
£ 2 - The overall aim is then to enforce confidentiality by preventing information 
from flowing downwards from a high security level to a low security level. 

To exemplify our interpretation of the Bell-LaPadula model for ambients we 
use a simple lattice (L,<) with L = {public, secret} and public < secret as is 
one of the possibilities illustrated in Figure 5. Conceptually we regard a secret 
ambient as a protective boundary from which no information is allowed escape 
outwards to a public ambience. Thus, “anything” is allowed to happen inside 
or outside the boundary but restrictions are imposed on which ambients can 
leave it. This can be effectuated by making a number of restrictions on when 
operations (i.e. in, out, and open) on ambients are allowed. Informally, we state 
these restrictions as follows: 
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— any ambient can enter any other ambient; 

— an ambient can only leave a secret ambient in a secret ambience; and 

— a secret ambient can only be dissolved in a secret ambience. 

The first item reflects that since nothing moves outwards when an in-capability 
is executed then confidentiality cannot be effected. This is in contrast to the 
situation for an out-capability where we must prevent movement from a secrets 
ambient out to a public ambience. Correspondingly, the third condition expresses 
that secret information inside a secret ambient is not allowed to flow into a public 
ambience when the secret ambient is opened. 

These conditions can be formalised as side conditions to the semantic rules as 
shown below. The side conditions are modifications of the previous rules in that 
they incorporate the dynamic checks to be performed by the reference monitor. 
As an example, the rule for out now contains information about the encapsulating 
ambient in order to formalise the second condition. The formulation below is 
specialised to the security lattice {public, secret} whereas the formulation in Table 
6 is sufficiently general to deal with an arbitrary security lattice. 




any ambient can enter any 
other ambient {hence, there 
is no side condition). 



a secret ambient can leave 
an ambient in a secret am- 
bience: 
r{fi) — secret 

= secret 



a secret ambient can be dis- 
solved in a secret ambience: 
— secret 
r{fi) — secret 



Note that the clause for the out-capability compares the security levels of p 
and m — and that p and m have a grandfather-son relationship; this is the key 
reason for why the ICFA analysis is going to produce better results than the 
OCFA analysis. 

Example 33. Returning to the running example (expressed in Discretionary Am- 
bients) of Example 21 we first assume that the sites are secret, that the packet is 
public, and that the overall system is in a public ambience. The packet can move 
out of the site A because it is public and thus it does not impose the additional 
conditions on the ambience. The packet can always move into the site B and 
since it is public it can be opened inside B. So the execution explained in Ex- 
ample 21 is accepted by the reference monitor. This means that the transitions 
outlined in Example 21 hold for — >■ as well as — 

Alternatively, let us assume that the sites are public but that the packet is 
secret. Now the packet is not allowed to leave A unless the overall system is in 






Security for Mobility 241 



Table 6. Reference monitor semantics for Bell-LaPadula. 



r[/r 1-^ €] I- P — » Q 

rh (V)Q 



r[n I— >■ /i] h P — »■ Q 
P h [vn : n)P — »■ (w : ^)Q 



if /i € dom(P) 



PhP-^Q PhP-^Q P = P' PhP'-^Q' Q' = Q 

P h n[P] ^ n[Q] Ph P I P-^ Q I P P h P Q 



P h m[in n. P I Q] I n[in^n. P | 5] — » n[m[P | Q] | P | S] if P(m) = /r 



P h p[n[m[out n. P \ Q] \ out^n. P | P]] p[m[P | Q] \ n[R \ P]] if P(m) = /r A 

< P(P(P)) 

P h m[open n. P | n[open^n. Q | P]] m[P | Q | P] if P(m) = /r A 

r(P(n)) < P(/r) 



a secret ambience. The packet can always move into B but then it cannot be 
opened because it is secret and the ambience provided by B is indeed public. 
Thus in this case the reference monitor will “kick in” and prevent the execution 
from happening. This means that the transitions outlined in Example 21 hold 
for — >■ but not for — »■. □ 

Static Formulation of the Bell-LaPadula Model. Having obtained an ap- 
proximation to the behaviour of the processes the next step is to formulate the 
Bell-LaPadula conditions as checks on the analysis results — the idea being 
that if the analysis result passes these checks then the reference monitor will not 
intervene in the execution of the process. 

The analysis result (I, V) satisfies the Bell-LaPadula security conditions with 
respect to the assignment F of security levels to groups, written BLP/^(I, P>), if 
the following conditions are fulfilled: 

:[3fi : but^.^ G ^ < F{fi3) 

: [opeh^p/x G ^ P(/x) < F{fj,P) 

The precondition of the first formula identifies a potential out-redex and the 
conclusion then requires that the security level of the subject (/x“) is less than 
that of the ambience (/x®) — exactly as required by the reference monitor. The 
second formula expresses the corresponding condition for the open-redex. In 
both cases we make good use of the “observation predicate” T> in order to avoid 
copying large parts of the clauses in the ICFA analysis. 

Example 34- Corresponding to Example 33 let us assume that T(S) = secret 
and T(P) = F(-k) = T'(T) = public. We shall check the Bell-LaPadula conditions 
imposed on the analysis result presented in Example 29. The precondition of 
the out-capability is only satisfied for ^ = S, /i“ = P, and = * and the 
check r{pL°‘) < r{n^) amounts to public < public, which clearly holds. The 
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precondition for the open-capability is only satisfied for /x = P and = S 
and the check /^(/x) < r{jjP) amounts to public < secret, which also holds. 
Consequently the analysis result ensures that the reference monitor will not 
“kick in” and, therefore, its tests can be dispensed with — as was also observed 
in Example 33. 

Alternatively, we may assume that E(P) = secret and C(S) = E(*) = E(T) = 
public. For the out-capability the check E(/x“) < C(/x®) amounts to secret < public 
and since this does not hold we cannot guarantee that the reference monitor will 
not “kick in” — as we reasoned in Example 33. □ 

The correctness of the static test can be expressed as follows; the result says 
that we can dispense with the reference monitor if the static checks are fulfilled: 



Theorem 35. Suppose BLPr(1, 2?) holds for some analysis estimate that sat- 
isfies (I, T>) P; then any execution P \- P — >■* Q can he mimicked as an 

execution P \- P — ^-gLp Q- 

The proof is by induction in the length of the derivation sequence using the 
subject reduction theorem; each step is by induction on the inference in the 
semantics; we omit the details. 

Efficient implementation of the ICFA analysis is is as before. It is straightfor- 
ward to translate BLPr(T, 2?) into ALEP and the test can be performed in low 
polynomial time. 

4.2 Integrity: The Biba Model 

Dynamic Formulation of the Biba Model. The Biba model for integrity 
[4,22] combines the access control matrix with an assignment of integrity levels to 
subjects and objects; the integrity levels are arranged in a lattice and the overall 
aim is to prevent the corruption of high-level entities by low-level entities: 

As a simple example we use the lattice {dubious, trusted} with dubious < 
trusted. Again we view ambients as protective boundaries but now we want to 
prevent dubious ambients from moving into trusted ambients. We can state this 
as the following requirements to operations on ambients: 

— only trusted ambients can enter trusted ambients; 

— only trusted ambients can leave in a trusted ambience; 

— inside a trusted ambient it is only possible to dissolve trusted ambients that 
only contain trusted sub-ambients. 

The first item reflects that a trusted ambient will be corrupted if it is entered 
by a dubious sibling. The second item reflects that a trusted ambient will also 
be corrupted if it is “entered” by a dubious grandchild. The third item again 
protects a trusted ambient against corruption by dubious grandchildren but 
this time as a result of a child being opened. Furthermore, we disallow dubious 
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Table 7. Reference monitor semantics for Biba. 



r[/r ^ £]\- P ^ Q 

r\- 



r[n I— >■ /r] h P — »■ Q 
P h {vn : jj,)P — »■ (vn : fi)Q 



if /i G dom(P) 



rhP-^Q PhP-^Q 

P h n[P] ^ n[Q] P'r P\R^Q\R 



P = P' P h P' Q' Q' = Q 
PhP-^Q 



P h m[in n. P I Q] I n[in^n. P | S'] — »• n[m[P j Q] j P j S] if P(m) = /r A 

r(P(n)) < P(/r) 



P h p[n[m[out n. P I Q] I out^n. P j S]] — »■ p[m[P j Q] j n[R j Sj] if P(m) = /r A 

r(P(p)) < P(/x) 

P h m[open n. P j n[open^n. Q j P]] — » m[P j Q j P] if P(m) = /r A 

/i < P(n) A 
Vp[-] G top(Q I P) : 
r(/r) < P(P(p)) 



ambients to be opened in a trusted ambience, since this could unleash “dubious 
capabilities” . 

This is formalised by the following extension of the semantics. As before the 
formulation below is adapted to the security lattice {dubious, trusted} whereas 
the formulation in Table 7 is sufficiently general to deal with an arbitrary security 
lattice. In the clause for open we write top(Q | Ft) for the ambients occurring 
at the top-level of the process Q | P; we demand that all of these ambients 
must have an integrity level that is at least as high as that of the encapsulating 
ambient. 

only trusted ambients can 
enter a trusted ambient: 
r{^') — trusted 

r{fj,) — trusted 



a trusted ambience can only 
be entered by a trusted am- 
bient: 

— trusted ^ 
r{fj,) — trusted 

only trusted ambients with 
trusted sub-ambients can be 
dissolved inside a trusted 
ambient: 
r{^) — trusted 

— trusted A 
Vp[-] e top(Q I R) : 
r{r{p)) — trusted 

Note that also here the ambients of interest have a grandfather-son relation- 
ship; once again this motivates our study of the ICFA analysis. 
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Example 36. Returning to Example 21 we now assume that sites are dubious, 
that the packet is trusted, and that the overall system is trusted. The packet can 
move out of A because the overall system is trusted and it can now move into 
B because the sites are dubious. Since the site is dubious there is no problem 
opening the packet although it is trusted. So the execution of Example 21 will 
be accepted by the reference monitor. This means that the transitions outlined 
in Example 21 hold for — >■ as well as — 

Alternatively, assume that the sites are trusted but that the packet as well 
as the overall system are dubious. Then the reference monitor will prevent the 
packet from entering the site B as it will corrupt its integrity. This means that 
the transitions outlined in Example 21 hold for — >■ but not for — □ 



Static Formulation of the Biba Model. The analysis result (I, T>) satisfies 
the Biba integrity condition with respect to the assignment E of integrity levels 
to groups, written Bibar(1, 2?), if the following conditions are fulfilled: 

: \3pP : in^a^ e V{pP,p)] ^ E{p) < 

:[3/r : out^a/x G T>(^®,/x)] ^ < E{p°-) 

MpE, pL : [open^p/x G T>{p,P, p.) 

[r{pP) < E{p) A V/x^ : p- G I{pP, p) ^ E{pP) < T(/x^)]] 

Again the preconditions express the presence of a potential redex and the con- 
clusion then imposes the relevant integrity constraint of the reference monitor. 
Note that the top-level ambients (p°) occurring inside the subject {p) easily can 
be accessed using the relation X. 

Example 37. Corresponding to Example 36 let us assume that T(S) = dubious 
and T(P) = T(*) = T(T) = trusted and let us check the Biba conditions on 
the analysis result of Example 29. The precondition for the in-capability is only 
satisfied for /x = S, = P, and pP = -k and the check E{p) < r{p°-) amounts to 
dubious < trusted, which clearly holds. The precondition for the out-capability 
is only satisfied for /x“ = P, /x = S, and = * and the check T(/x®) < T(/x“) 
amounts to trusted < trusted, which also holds. The precondition for the open- 
capability only holds for /x = P and pP = S. This leads to the two requirements 
that dubious < trusted and that the universally quantified implication must hold 
for these values of p and pP. The latter trivially holds since there exists no 
p‘^ to fulfil the precondition reflecting that P never contains any sub-ambients. 
Consequently the analysis result ensures that the reference monitor will never 
“kick in” as we already observed in Example 36. 

Alternatively we may assume that T(S) = trusted but E{¥) = E{-k) = 
r{T) = dubious. For the in-capability the check E{p) < E{p°‘) amounts to 
trusted < dubious and since this does not hold we cannot guarantee that the 
reference monitor will not “kick in” — as we already observed in Example 36. □ 
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The correctness of the static test can be expressed as follows; the result says 
that we can dispense with the reference monitor if the static checks are fulfilled: 

Theorem 38. Suppose B\har(T,'D) holds for some analysis estimate that sat- 
isfies {I, T>) P; then any execution P \- P — >■* Q can he mimicked as an 

execution P \- P — Q- 

The proof is by induction on the length of the derivation sequence using the 
subject reduction theorem; each step is by induction on the inference in the 
semantics; we omit the details. 

Efficient implementation is as before: translating Bibar(1, 2?) into ALFP, the 
test can be performed in low polynomial time. 

Remark 39. The static tests for Bell-LaPadula and Biba could also be phrased 
using the father-son relations found by the OCFA. Since the tests are of a 
grandfather-child nature the OCFA is, however, likely to be too imprecise. An- 
other approach to improving the simple father-son analysis is considered by 
Braghin, Cortesi, and Focardi in [6] (for the classical Mobile Ambients with la- 
bels). Their idea is to extend the analysis with a third component holding the 
security level of the grandfather. While their analysis will in general be more 
precise than using our OCFA it is coarser than the one developed here using the 
ICFA because the security information of a grandfather may identify a rather 
large superset of the set of grandfathers possible. 

Related work of studying mandatory access control within ambient calculi 
has also been done by Bugliesi, Castanga, and Crafa [9]. They interpret access 
control in an ambient setting as access to communication between ambients 
rather than mobility as we do. This leads to the definition of a new calculus called 
Boxed Ambients (see Section 5), which extends the communication primitives 
of the original Mobile Ambient calculus. Their main result is a type system 
which checks that communication does not violate a given access policy. The 
type system primarily builds on the exchange types of [14] (see Remark 50) and, 
as such, is quite far from our analysis which tracks mobility. 

More recently, the same authors have studied information flow in a variant 
of Boxed Ambients [21]. They partition information (i.e. names and capabilities) 
into high and low security levels and define a type system which impose access 
control on low level processes. Next, they define processes to be contextually 
equivalent whenever they exhibit a certain kind of communication out of low level 
ambients. Finally, they show that a well-typed low level process is equivalent to 
itself composed with any well-typed high level process. Thus, a low level process 
cannot observe the difference between running on its own or running together 
with a well-typed high level process. Thereby they ensure that a low level process 
cannot deduce anything about well-typed high level processes. As the authors 
themselves point out, the requirement for high level processes to be well-typed is 
rather strict since it is not ensured that every process can be typed. Therefore, 
the high-level processes must be known so the method only applies to closed 
systems. □ 
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5 Cryptographic Protocols 

Mobile Ambients as originally introduced in [13] also admit communication prim- 
itives. However, rather than following full-fledged channel-based communication 
as in the 7r-calculus the designers opted for a more limited form of communica- 
tion where each ambient has a mailbox that allows both ambient names as well as 
capabilities to be communicated. In this way all communication is local between 
the top-level processes of an ambient and one achieves long distance commu- 
nication by a combination of local communication and movement within the 
ambient hierarchy. Also they opted for asynchronous rather than synchronous 
communication. In the case of monadic input and output the asynchronous^ 
communication primitives are: 

(M) outputs the message M asynchronously to the local mailbox; 

{x).P inputs a message from the mailbox, binds it to x and continues as P. 

Boxed Ambients [9,8] takes the view that ambients should not only be allowed 
to communicate locally but also with their children (but not grandchildren) and 
parents (but not grandparents) . In the monadic calculus the new communication 
primitives are 

— (M)^ outputs a message to the mailbox of the parent; 

— (M)° outputs a message to the local mailbox; 

— (M)" outputs a message to the mailbox of a child named n; 

— (x)"^ .P inputs a message from the mailbox of the parent; 

— {x)°.P inputs a message from the local mailbox; 

— (a;)”.P inputs a message from the mailbox of a child named n. 

Example 4-0. Boxed Ambients are well suited for expressing perfect symmetric 
cryptography although there is no explicit cryptographic primitives. We shall 
code symmetric keys as names and introduce them using restriction; the perfect 
nature of the cryptography is then due to the semantics of restriction, {vn : fP)P, 
that ensures that the name n introduced is distinct from all other names whether 
already introduced or yet to be introduced. In this model even a brute force 
attack cannot succeed. 

A plain-text message msg encrypted under a key K is then coded as 

K[(msg)°] 

whereas decrypting a ciphertext cph under the key K is coded as: 

cph I (x)'^.---x--- 

Here the decryption only succeeds if indeed cph contains a top-level ambient of 
the form K[(msg)°]. If the encrypted message needs to survive for later decryption 
it can be “protected” from destruction by placing a replication operator (!) in 
front of it. □ 

^ To obtain synchronous communication we should write (M).P and modify the se- 
mantics. 
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5.1 Syntax and Semantics of Boxed Ambients 

For definition of the syntax of Boxed Ambients we revert to Mobile Ambients as 
explained in Section 2 and add polyadic communication. 

Syntax. As in other presentations of ambients we make a distinction between 
names (introduced by restrictions) and variables (introduced by input); in our 
view, this distinction adds clarity both to the semantics and to the analysis. We 
shall therefore find it helpful to introduce a new syntactic category N of namings 
that can be both variables and names and to use namings where names where 
used before. Furthermore we introduce an auxiliary syntactic category 77 for the 
communication direction. The syntax then reads: 

P::={vfi)P I {vn-.yL)P | 0 | Pi | P2 | | M. P | 

(Ml,-- - I ,XkT.P 

M ::= in N \ out N \ N 
N ::= n \ x 

Tj::= N \ t \ o 

We follow the designers of Boxed Ambients in not including the open-capability. 
For simplicity of presentation we have not allowed the formation of composite 
capabilities, i.e., we disallow the nil capability e and the concatenation Mi. M 2 
as would be needed for communicating complete routes along which movement 
could take place; most of the development would work for these extensions as 
well but the actual implementation would be more complex. 

Semantics. The semantic changes are rather minor with respect to the specifi- 
cation of Tables 1 and 2. For the structural congruence we simply need to add 
the rule: 

P = Q ^ {xi,- ■ ■ ,Xk)^. P = {xi,- ■ ■ ,Xk)"^.Q 

For the transition relation of Table 2 we add a number of rules for commu- 
nication. The rules are depicted in their monadic version below, i.e. where only 
one message is communicated at a time. The polyadic version of the rules are 
summarised in Table 8 where P{xi ^ Mi} ■ ■ ■ {xk ^ Mk} denotes P with Mi 
substituted for Xi with the usual a-renaming in order to avoid capturing free 
names in the Mi. We shall only apply the transition relation to closed processes, 
i.e. processes without any free variables, and hence Mi contains no variables. 
Consequently we shall dispense with a-renaming of variables (since this simpli- 
fies the specification of the OCFA analysis) . 

First we have local communication, which takes place between any two sibling 
processes 

{M)°\{x)°.P — ^ P{a;^M} 

and binds the value of the message M to the variable x in the receiving pro- 
cess P. Next we add the following rules for output to a child, either by explicitly 
naming the child (and using the child’s mailbox for the exchange of the message) 




248 Hanne Riis Nielson, Flemming Nielson, and Mikael Buchholtz 



Table 8. Transition relation for Boxed Ambients. Additions to Table 2. 

{Ml,--- ,Mk)° ,XkT.P ^ P{xi^Mi}---{xk^Mk} 

{Ml,--- ,Mkr \n[{xi,--- ,Xk)°-P\Q] ^ n[P{xi^Mi}---{xk^Mk}\Q] 
{Ml,--- ,Mk}° \ n[{xi,--- ,Xky-P\Q] ^ n[P{xi^Mi}---{xk^Mk}\Q] 
{xi,--- ,Xky-P\n[{Mi,--- ,Mk)^\R] ^ P{xi^Mi}---{xk^Mk}\n[R] 

{xi,--- ,Xkr-P\n[{Mi,--- ,Mk)°\ R] ^ P{xi^ Mi}---{xk^ Mk}\n[R] 



(M)” 

or anonymously (using the enclosing ambients mailbox for the exchange of the 
message) 

(M)° 

Finally, we add the following rules for output to a parent 
n 

{x)°-P 

and 

n 

(cc)”.P 

In particular, we do -not have a rule for output to grandchildren such as: 

{Ml,-- - ,Mfc)” I ,Xk)^-P | Q] \ R] ••• 

Instead communication between grandparent and its grandchildren will have to 
be forwarded e.g. as done by m below (for monadic output of a message M): 

(M)’" I m[{x)°-{x)° I n[(x)^.---:r---]] 

Example 4-1- Continuing Example 40 we have that 

K[(msg)°] I (x)*^. • • -X- • • K[ ] I • • • msg- • • 

showing that after the decryption an empty message, K[ ], is left behind. □ 
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Example ^2. Boxed Ambients allows to code a package moving around on a 
network where it communicates the name of a new ambient to be created at the 
destination: 

A[ p[ outA. inB. (C)^ ]] | B[(x)°.x[]] 

^A[ ] |p[inB. (C)^] I B[(xr.x[]] 

^A[ ] I B[p[(C)^] I (x)“.x[]] 

^A[ ] I B[p[ ] I C[ ]] 

This example illustrates the usefulness of being able to communicate between 
adjacent layers and why this reduces (if not obviates) the need for the open- 
capability. □ 

5.2 Cryptographic Protocols in Boxed Ambients 

Boxed Ambients seems rather well suited for expressing a number of crypto- 
graphic protocols. In this subsection we consider a number of protocols that 
involve a server S and agents (or principals) A and B. 

Agents present themselves with their name and frequently there is the need 
to find the corresponding key. In traditional programming languages one might 
have an array that is indexed with the name and that produces the key, i.e. the 
key to be used by the server for encryption or decryption of messages from the 
agent. In Boxed Ambients it is natural to represent the “array” as a process of 
the form 

KeyTable = ni[!(Ki)“] | ••• | n,,[!(K,,)“] 

corresponding to the name of the principal n; being mapped to the key Ki. We 
use replication to ensure that the “array” can be queried any number of times. 
Hence, whenever a process performs the action 

KeyTable | (yK)’'"- • • ■ Yk • ■ ■ 

it will obtain the key yK corresponding to the agent x,,. 

Occasionally there is a need to test that two random numbers are equal before 
proceeding. In traditional programming languages one would test the equality 
of n and m using a conditional. In Mobile Ambients the traditional coding trick 
is to create an ambient, n[ ] and then let an open-capability, open m, guard the 
then-branch (ignoring the else-branch) . In Boxed Ambients we do not have the 
open-capability and hence will use communication: we create an ambient, n [()“], 
that performs a local nullary output and then let an input, ()'^. • • •, guard the 
then-branch. In other words 



n[()1 I {T-P 

will block the execution of P unless n equals m. 

Whenever a principal sends a message to another principal it would be nat- 
ural to encode the message in an anonymous packet (e.g p). Often the message 
consists of some public names together with a message encrypted by some key 




250 Hanne Riis Nielson, Flemming Nielson, and Mikael Bnchholtz 



M created 




Fig. 6. Wide Mouthed Frog protocol. 



(e.g. K) and consisting of some secret names. One could then send the pair 
(public, secret) from A to B by means of the packet: 

p[out A.in B.((public)° | K[out p.(secret)°])] 

To avoid an overly heavy coding we shall generally prefer to dispense with the 
anonymous packet and instead reuse the cryptographic key. We therefore send 
(public, secret) from A to B by means of: 

K[out A.in B. ((public)^ | (secret)°)] 

Once the capabilities out A and in B have been executed the enclosing ambient 
will have access to the public parts of K without knowing the key, e.g. 

K[(public)^ I (secret)°] | (x)°.x — > K[(secret)°] | public 

In order to get hold of the secret parts of the message the enclosing ambient 
needs knowledge of the key K: 

K[(public)^ I (secret)°] | (x)*^.x — > K[(public)^] | secret 



Wide Mouthed Frog. We consider here the Wide Mouthed Frog protocol 
originally described in [10] in the simplified version of [1] where agents A and B 
are given together with a trusted server S. Also secret master keys are in place 
between the server and the agents: Kas is known only to A and S, and Kbs is 
known only to B and S. Hence the KeyTable to be used in the server is 

KeyTable = A[!(Kas)“] | B[!(Kbs)“] 

The purpose of the protocol is first to exchange a secret session key Kab for 
use between A and B, and then to communicate a secret message M using the 
session key. The protocol depicted in Figure 6 begins with A creating the session 
key Kab and the message M. Next A forwards the key to S, encoded with Kas, 
thereby asking S to forward it to B. The key is forwarded to B, encoded with 
Kbs- At this point B is ready to receive the message M communicated by A, this 
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time encrypted with the secret session key Kab- The classical way of presenting 
protocols (see e.g. [18]) is to write a narration where the messages of the protocol 
are listed in order. For each message the principals involved in the message 
exchange are given along with the content of the message. For the Wide Mouthed 
Frog protocol this looks as follows (where we write K[M] for the message M 
encrypted under the key K): 

1. A — ^ S : A,Kas[B,Kab] 

2. S^B : Kbs[A,Kab] 

3. A^ B : Kab[M] 

In more detail the steps are as follows (writing Alice for A, Bob for B and Server 
for S as is customary when discussing protocols): 

1. Alice generates a new random session key (Kab) 

{ly Kab : Kab) 

and then sends her name (A), Bobs name (B) and the session key (Kab) to 
the Server (S) encrypted by her master key Kas: 

KAs[outA. inS. ((A)t | (B,Kab)“) ] 

As discussed above, Alice’s name (A) can be received by any enclosing am- 
bient once out A. in S has been executed whereas Bob’s name and the session 
key (B, Kab) can only be received by those ambients holding the master key 
Kas under which the message is encrypted. 

2. The Server first receives Alice’s name (ya = A) and obtains her master 
key (ykas = Kas) from the KeyTable and uses it to decrypt the remaining 
components (ys = B and Ykab = Kab) of the message: 

KeyTable | (ya)°. (ykas)'"'- (Yb, YKab • 

The Server obtains Bob’s master key (ykbs = Kbs) from KeyTable and uses 
it to encrypt Alice’s name (ya = A) and the random key (ykab = Kab) and 
sends it to Bob (yb = B): 

(yKBs)''®-YKBs[outS. inyB. (yA,yKAB)1 

Bob decrypts the message using his master key Kbs and obtains Alice’s name 
(za = A) and the session key (zkab = Kab): 

(za,ZKab)^^^ 

3. Alice creates her message (M) and sends it encrypted with the session key 
Kab to Bob 

(i^M: M) KAB[outA. in B. (M)°j 

which Bob receives and decrypts using the session key (zkab = Kab): 



(x)^*^ab . . . . X • • • 
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The overall protocol can be written as follows: 

A [(i.Kab:Kab) KAs[outA. inS. ((A)^ | (B,Kab)“) ] | 

(:/M: M) KAB[outA. in B. (M)°] ] 

S [KeyTable | 

(yA)°- (yKAs)''''-(yB,yKAB)''''''=^- 
I (yKBs)''®-yKBs[outS. inye. (yA,yKAB)°] ] 

B [(zA,ZKAB)^®b(x)^^AB....x--- ] 

We refer to the literature for the security properties of the Wide Mouthed Frog 
protocol. Actually, our encoding is a bit “more secure” than the original protocol. 
As an example, in step (1) we ensure that no one can listen to neither Alice’s 
name nor Bob’s name and the session key until after the package has been 
delivered. Rather than attempting to weaken the encoding to open up for more 
attacks we consider this a benefit of performing the encoding in Boxed Ambients. 

Yahalom. The Yahalom protocol is described in [10]; its classical narration is 
as follows: 



1. 


A ^ B : 


A, Ra 


2. 


B ^ S : 


B, Kbs[ A, Ra, Rb ] 


3. 


S ^ A : 


Kas[ B, Kab, Ra, Rb ], Kbs[ A, Kab 


4. 


A ^ B : 


Kbs[ A, Kab ], Kab[ Rb ] 


5. 


A ^ B : 


Kab[M] 



In Boxed Ambients it can be encoded as follows: 

1. Alice sends her name and a random number to Bob: 

{v Ra : R) p[out A. in B. (A, Ra)^] 

Here there is no encryption in the message and we have to revert to the use 
of an anonymous package. 

2. Bob receives Alice’s name and random number and generates his own random 
number; he then encrypts Alice’s name, her random number and his own 
random number with his own master key and sends it to the Server together 
with his name: 

(yA,yR)°. (jzRb:R) KesbutB. inS. ((B)^ | (yA, yR, Rb)°)] 

3. The Server receives Bob’s name and obtains his master key from KeyTable; 
he then decrypts Alice’s name and the two random numbers and obtains 
Alice’s master key and creates a random session key. Then he constructs two 
messages. The first message is encrypted with Alice’s master key and is sent 
to Alice; it contains Bob’s name, the session key, Alice’s random number 
and Bob’s random number. The other message is sent to Alice too although 
intended for Bob (and hence may be instructed to go there) and is encrypted 
with Bob’s master key and consists of Alice’s name and the session key: 
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KeyTable | 

(zb)°. (zkbs)^'*- (za, zr, z'r)"><bs . (zk^3)^\ (j/ K : K) 

ZKAs[outS. inzA.(zB, K,zr,z'r)°] | 

ZKesioutS. inzA. (yi,y 2 )^- yi-yz- (za, K)°] 

4. Alice decrypts the message intended for her and checks that the random 
number is her own. Then she sends two messages to Bob: one being the mes- 
sage from the Server and the other being Bob’s random number encrypted 
with the session key: 

(xb,xk,xr,x'r)‘^''=. (xr[()°] I ()'^\((outA, inB)° | 

XK[outA. in B. (x'r)°])) 

Note that we test the equality of xr and Ra as illustrated above; in a similar 
way we could have decided to test the equality of xb and B (but protocol 
narrations are often a bit unclear about how many tests actually have to be 
carried out). 

Bob decrypts the first message with his master key thereby obtaining the 
session key and uses it to decrypt the other message and checks that it equals 
his random number: 

(yA,yK)^-.(yRr-(yR[(n I ()"'*••••) 

5. Alice creates her message and sends it encrypted with the session key to Bob 

(j/M: M) XK[outA. in B. (M)°] 
which Bob receives and decrypts using the session key: 

(yM)^*^- • • • yivi • • ■ 

The protocol may be summarised as follows: 

A [(:^Ra:M) p[outA. in B. (A, Ra)^] | 

(xb,Xk,Xr,Xr)‘^*S_ (xr[()°] I 

()'^N((outA, inB)° I 
XK[out A. in B. (xr)°] | 

{v M : M) XK[out A. in B. (M)°]))] 

S [KeyTable | 

(zb)°. (zKBs)^‘*.(zA,ZR,z'R)"XBs.(zK^3)^''.(:yK: K) 

ZK^3[outS. inzA.(zB, K,zr,z'r)°] | 

I ZKssioutS. inzA. (ypyz)'^. yi. y 2 - (za, K)°] ] 

B [(yA,yR)“- (^^Rb:R) Kes[outB. inS. ((B)f | (yA, yR, Rb)“)] | 

(yAAK)^-. (yR)''A (yR[()1 I Q"^(yM)^A---yM---)] 



We refer to the literature for the security properties of the Yahalom protocol. 
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Needham-Schroeder. The Needham-Schroeder symmetric key protocol is de- 
scribed in [27]; its classical protocol narration is as follows 



1. 


A 


— !> 


s 


A, B, Ra 


2. 


S 




A 


Kas[ Ra, B, Kab, Kbs[ a, Kab ] ] 


3. 


A 




B 


Kbs[ A, Kab ] 


4. 


B 




A 


Kab[ Rb ] 


5. 


A 




B 


Kab[Rb ~ 1] 


6. 


A 




B 


Kab[M] 



In Boxed Ambients this can be encoded as follows: 

1. Alice sends her name, Bob’s name and a random number to the Server: 

{v Ra : M) p[out A. in S. (A, B, Ra)^ ] 

2. The Server receives the message, generates a random session key K, and sends 
a single message to Alice encrypted with her master key. It contains Alice’s 
random number and the session key. It also contains a message intended for 
Bob (and hence may be instructed to go there) and encrypted with Bob’s 
master key containing the session key and Alice’s name. To make this work 
the message sent to Alice must act as a forwarder from the ambience of the 
message to the message intended for Bob (as discussed previously): 

KeyTable | (va, Yb, yR)°- (Y kas)'"'- (YKes)^®- ^ : K) 

YKAsfoutS. inyA. ((yr,K)° | 

(Yi,Y2,Y3)°-(Yi,Y2,Y3)° I 

YKbs[(yi.Y 2,Y3)^- yi.y2-Y3-(YA,K)°j) ] 

3. Alice decrypts the message and checks that she got her random number back; 
then she sends the included message to Bob: 

(xr,xk)^''^(xr[()“] I ()R\(outKAS, out A, inB)^’'=) 

4. Bob decrypts the message using his master key, generates a random number, 
encrypts it with the session key and sends it to Alice: 

(za,zk)'^®^ (i/Rb: R)zK[outB. inzA. (Rb)°] 

5. Alice decrypts the message using the session key, she modifies Bobs random 
number (by duplicating it rather than subtracting one), encrypts it with the 
session key and sends it back to Bob: 

(xr)’'A XK[outA. inB. (xr,Xr)°] 

Bob decrypts the message with the session key and verifies that it is obtained 
from his random number: 



(zr,zrO’<A(zr[()“] I ZR, [()“][ QRb.qRb. ...) 
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6. Alice creates her message and sends it encrypted with the session key to Bob 

{v M : M) XK[out A. in B. (M)°] 
which Bob receives and decrypts using the session key: 

The protocol may be summarised as follows: 

A [(:^Ra: R) p[outA. inS.(A,B,RA)^] | 

(xR,XK)‘^''b (xr[()°] I ((outKAs, out A, inB)‘^As | 

XK[outA. inB. (x'r,x'r)°] | 

(i/ M : M) XK[out A. in B. (M)°] )) ] 

S [KeyTable | (ya, ye, yR)°- (YK as)^''- (YKbs)''®- ^ : K) 

YKAs[outS. inyA. ((yr,K)° | 

(Yi.Y2,Y3)°- (Yi,Y2,Y3)° I 

I YKbs[(Yi,Y 2,Y3)^- yi.y2-Y3-(YA,K)°]) ] ] 

B [(zA,ZK)'^®b (i^Rb: R) ZK[outB. inzA. (Rb)°] | 

(ZR,ZROX^(ZR[(n |ZR,[()1 I 

We refer to the literature for the security properties of the Needham-Schroeder 
protocol. 

5.3 Adapting the OCFA Analysis to Deal with Communication 

As far as the analysis is concerned we revert to the OCFA based analysis presented 
in Section 2.2. As before we need to have a component 

I : Group — !> P( Group U Cap) 

keeping track of whom is inside whom. Additionally we need a component keep- 
ing track of the values bound to variables 

TZ : Var P( Group U Cap) 

and a component keeping track of the contents of the mailboxes: 

C : Group P(( Group U Cap)*) 

Judgements then take the form 



where there is only one superscript to ^ because we are reverting to the context- 
insensitive OCFA based analysis. 
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Example 43- Suppose that an ambient A has gotten hold of a message encrypted 
under the key K and that the message instructs A where to move. Assuming that 
A knows the key K this may be illustrated by the process 

A[K[(inS)“]|(x)^x]|S[] 

Assuming that we analyse the process in an environment E with A(A) = A, 
r{K) = K, and E{S) = S the analysis estimate 



!(*) ={A,S} 


C{K) = {inS} 


1(A) = {K.inS} 


C(*) =C(A) =C(S) = 0 


I(S) = {A} 




I(K) = 0 


7^(x) = {inS} 



will show the possible behaviour of the process. This estimate is in fact the best 
estimate found by the analysis specified below. The ambient hierarchy is once 
again recorded in I and records that A may turn up inside S (i.e. {A} C I(S)). 
Inspection of C shows that communication may only take place within K where 
the capability in S may be communicated. The variable environment TZ shows 
that the variable x may be bound to exactly this value. 

Note that while capabilities are recorded directly in I, communication primi- 
tives are recorded indirectly. Outputs are recorded by the effect they have on the 
mailboxes, i.e. on the content of C, while inputs show up as the possible values 
in TZ of the variables that will be bound by the input. □ 



Specification of the Communication Analysis. As before each acceptable 
analysis estimate for a composite process must also be an acceptable analysis 
estimate for its sub-processes: 



{I,C,TZ) |=p {vn: pi) P 


iff (I,C,7^) h*r[„^^] P 


(I,C,TZ) 


iff (I,C,7^) h*r[^^o] P 


(I,C,TZ) h^O 


iff true 


(I,C,7^) hj’ Pi 1 P2 


iff (I,C,7^) h> Pi A {I,C,TZ) hj^ P2 


(I,C,7^) hr '-P 


iff {T,C,TZ) h> P 




iff V^t G Afr,n{N) : pi G !(*) A (I,C,TZ) h)^ P 



One change from before is that the name of an ambient can also be given by a 
variable. We therefore use the auxiliary function Afr,n to map namings to sets 
of groups: 

J^r,n{x) = TZ{x) O Group 
Afr.nin) = {pi} where pi = r{n) 
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This function can be extended to obtain the function M. r.n for mapping capa- 
bilities to sets of values (capabilities or names): 

N) = {in /r I /i G J^r,n{^)} 

M. r,7?,(out TV) = (out | ^ G 
Mr,n{x) = TZ{x) 

= l/i} where /i = T(n) 

In Boxed Ambients there is no open-capability so we only need to adapt the 
clauses for the in- and out-capabilities. Since we shall use the function Air,n we 
have an additional quantification over for in-capabilities we have 

in iV.P iff 7 Wr, 7 ?.(iniV) CI(*) A (I,C,P) hr ^ A 
Vin^ G 7Wr.T?,(in A^) : 7>in(M) 

where the “closure condition” (p\^ is defined by 

(^in(^) iff V ^jP ■. \r\ n & A 

G T{^jP) a 
M G 

^ G 

For out-capabilities we have 

(I,C,P) hfoutiV. Piff TWr,7?,(outiV) C P(*) A (I,C,TZ) hr ^ A 

Vout/x G AIr,7?,(outiV) : V3out(M) 

where the “closure condition” i^out is defined by 

T’ojt(M) iff V /xS : out /X G P(^“)A 
/x“ G P(ax) a 
/X G P(^s) 

^ G 1(^x9) 

Finally, for “mixed capabilities” we have: 

(P,C,P) hf Af. P iff Mr.n{N) n Cap C P(*) A (I,C,P) hf ^ A 
Vin/x G 7Wr,T?,(A^) : 'Fin(Ax) A 
Vout/x G Mr.n{N) : 7?out(/i) 

Thus, if A^ is a variable containing a capability then the capability must be in 
P(*) and the “closure conditions” ensures that this capability is analysed all 
ambients where it may end up. 

The new clauses deal with polyadic input and output for each of the three 
directions. For local communication the clauses are 

(P,C,P) h^ (Ml,--- ,Mfe)° iff Mr,n{Mi)x---xMr,n{Mk)QC{*) 

{I,C,n) hf ,Xk)°-P iff V(ui,--- ,Vk) GC(*) : 

vi G TZ{xi) A - - - A Vfc G TZ{xk) A 

(P,C,P) hr^ 
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where output ensures that the values are “put” into the local mailbox C(*) while 
input “copies” values from C(*) into the variables. For communication with a 
child we add the clauses: 

(2:,C,7^) h?’ (Ml,--- iff \/fxGAfr,n{N):fiGl{*) 

Mr.Tz{Mi) X - - - X Mr,n{Mk) C C(/x) 

(I,C,7^) hj- iff 

^ V(vi, ■■■ ,Vk) e C(/i) : 

vi G 7Z(xi) A ■ ■ ■ A Vk G TZ{xk) A 
(I,C,7^) ^*rP 

Here we obtain all the possible groups /x of the child N and check that the 
corresponding ambient indeed occurs in the ambience *; for each successful group 
fj, the communication is recorded by adapting the clause for local communication. 
For communication with a parent we add the clauses: 

(I,C,7^) hJ- (Ml,--- iff 

^ Mr.n{Mi) x - - - x Mr,n{Mk) C C(/x) 

{I,C,TV) (xi,--- iff :*Gl(^) 

^ V(ui, ■■■ ,Vk) G C{y) : 

V\ G 7Z(xi) A ■ ■ ■ A Vk G TZ{xk) A 
(I,C,7^) hf-P 

One may note that the analysis is a bit imprecise with respect to the seman- 
tics because although (M)^ \ n[m[{xy . P \ Q] | i?] yA ■■■ the analysis will 
pretend that the communication succeeds. One should also point out that the 
analysis of the communication primitives would have been somewhat more com- 
plex if the designers of Boxed Ambients had decided to keep the open-primitive; 
the reason is that then the communication may take place in other ambiences 
than where first encountered in the analysis (see [30] for how to deal with this) . 



Correctness of the Communication Analysis. Once more the correctness 
of the analysis amounts to a “subject reduction” result: 

Theorem 44. If {1,0,11) P and P -G* Q then {I,C,TV) Q. 



Implementation of the Communication Analysis. Once more the exis- 
tence of a least analysis is a consequence of the Moore family result: 

Theorem 45. For each P, the set {{I,C,TZ) \ {I,C,TZ) 1=^ P} is a Moore 
family. 

The implementation in ALFP proceeds much as before. One caveat is the 
use of the universal quantification over fj, in the clause for ambients: 



yfiGMr,n{N): 
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Here we must make sure that the variable /x is not in the domain or range of F. 

Another issue is that the communication component C uses sequences to rep- 
resent messages in the mailboxes. Instead of encoding sequences in general into a 
relational form that can be described in ALFP we use the fact that the analysis 
(and the semantics) only compares messages of the same length. Therefore, we 
can split C into mappings Ck '■ Group — >• P((Group U Gap)^) for each mes- 
sage arity k occurring in the process we analysis. This intuitively corresponds to 
having different mailboxes for messages of different length. We reformulate the 
analysis into an equivalent analysis where analysing a communication primitive 
of arity k only gives requirements to the content of the communication compo- 
nent Ck- In turn, this allows us to encode each communication component Ck as 
a relation of fixed arity fc -I- 1 . 

We then obtain an implementation much as before. However, now it is no 
longer the case that there is a fixed upper bound on the nesting depth of quan- 
tifiers and therefore the worst-case complexity is exponential; in practice it will 
be polynomial if there is a small nesting depth of ambients in the original pro- 
cess (or at least when the nesting depth of variable-named ambients is less than 
linear in the size of the process). 

If we were to admit composite capabilities (i.e. M.M) we would face the prob- 
lem that the universe is no longer finite for a given process since the process may 
output a few simple capabilities and then repeatedly input two capabilities and 
then output their composition. A rather crude way of dealing with this (taken 
in [30]) is to abandon recording the causal structure of capabilities. The better 
way is to adapt the solving technology to deal with a possibly infinite universe. 
A possibly infinite subset of the universe is then described using a tree grammar 
(or tree automaton) . We can express this using our Succinct Solver by manually 
translating the specification into one that constructs the tree grammar; we re- 
fer to [33] for an account of how to do so for the Spi-calculus [1]. Alternatively 
we may replace the Succinct Solver with a more appropriate solver based on 
set-constraints [2] or H3 [34]. 

Remark 4-6. Our restriction to finitary calculi is in line with some recent devel- 
opments for Mobile Ambients. In [17] Charatonik, Gordon, and Talbot provide a 
type system, which can check whether a process has finite behaviour. It is then 
possible to model check such a process against a so-called ambient logic [15]. 
Teller, Zimmer, and Hirschkoff [40] models a resource as an ambient R with a 
fixed capacity given by the maximal number of other ambients allowed inside R 
at top level. They provide a type system for resource control that checks whether 
the resource capacities in a system may be exceeded at run-time. □ 

5.4 Protocol and Exchange Analysis 

Protocol Analysis. We now show a number of properties of the Wide Mouthed 
Frog protocol that can be obtained using the OCFA analysis. 

Example ^7. We can analyse the Wide Mouthed Frog protocol using the OCFA 
analysis and aim at “maximal precision” by keeping as many groups distinct as 
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possible. This means that we analyse the protocol in a group environment where 
r{A) = A, T(B) = B, r(S) = S, r(KAs) = Kas and T(Kbs) = Kbs- Recall that 
the protocol additionally specifies the groups of the session key and the message 
(i.e. (jz Kab : Kab) and {v M : M) ). Then the possible values of variables in the 
analysis component TZ are given by: 

n \ X ZK^g ZA yKBs VKab Vb VKas Ya 

{M} {Kab} (Aj {Kbs} {Kab} {»} {A,Kas} {A} 

Note in particular that zk^b can only be bound to the session key created by 
Alice. Consequently Bob may receive the messages Alice sends encrypted under 
the session key as shown by the values of TZ{x) . The reason that both A and Kas 
show up in TZ{y[{^^) is that the analysis does not distinguish the ambient A that 
represents Alice and the ambient A in the KeyTable. □ 

Example 48- In the specification of the Wide Mouthed Frog protocol the server 
only allows known principals to participate in the protocol, since keys shared 
between the server and a principal needs to appear in KeyTable. Suppose that 
an unknown principal E (for Enemy) tries to participate in the protocol by 
carrying out the part of Alice. That is, suppose that the Enemy is as the process 
describing Alice with A replaced by E everywhere. This is the process below 
where Kes,M',Keb 7 and M' are arbitrarily chosen free names and free groups, 
respectively. 

E [{v Keb : Keb) KEs[out E. in S. ((E)! | (B, Keb)“) ] | 

(i/M': M') KEB[outE. in B. (M')°] ] 

Since the Server does not know the key Kes the attempt to participate in the 
protocol will fail. This can in fact be guaranteed using the OCFA analysis by 
analysing the process implementing the Wide Mouthed Frog protocol in parallel 
with the ambient E above. The interesting part of the analysis result is: 

{M} {Kab} 

which guarantees that Bob will never receive the message M' in the variable 
X. Since Kes and M' are arbitrarily chosen the result guaranties that any such 
attempt by the Enemy to conform with the protocol will indeed fail. 

Suppose on the other hand that the Server does know the key Kes, i-®. that 
KeyTable is extended to: 

KeyTable' = A [!(Kas)“] | B [!(Kbs)“] | E [!(Kes)“] 

Now the Server may successfully let E participate in the protocol as confirmed 
by the analysis result: 

^ 1 X zk^b 

{M,M'}{Kab,Keb} 

This corresponds to the Enemy being a dishonest principal rather than an in- 
truder. □ 
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Example 4-9. Assume that an enemy E shares a key Kes with the Server in the 
Wide Mouthed Frog protocol (i.e. that the Server uses KeyTable' of Example 
48). The enemy may now attempt to “impersonate Alice” by sending an A in 
the unencrypted part of the first message. This can be encoded as the process 

E [{v Keb : Keb) KEs[out E. in S. ((A)^ | (B, Keb)“) ] | 

{v M' : M') KEB[out E. in B. (M')°] ] 

The goal of the Enemy is to “fool” Bob into believing that the key Keb was a 
session key generated by Alice. However, the OCFA analysis guarantees us that 
this never happens. By analysing the above ambient E in parallel with the Wide 
Mouth Frog protocol (using KeyTable' instead of KeyTable) we get: 



n 


X ^Kab 




{M} {Kab} 



This in fact ensures that the key Keb will never even reach Bob i.e. it will never 
be bound to the variable zk,^b- Thus, in particular, this attack cannot fool Bob 
into believing that the key came from Alice. □ 



Exchange Analysis. Besides opening and crossing control also exchange anal- 
ysis of ambients is considered in [12] (and links back to the type system of 
[14]). Exchange analysis deals with determining what the topic of conversation 
is for some ambient n: is there no communication at all, is there an exchange of 
ambient names only, or is there an exchange of capabilities only. 

These questions can be answered using the analysis as follows. Suppose that 
(I,C,TZ) P and let fj, = P{n). 

— No communication at all takes place in case C(/i) = 0;. 

— There is exchange of ambient names only, in case C(/i) C Group*; 

— There is exchange of capabilities only, in case C(^) C Cap*. 

The correctness of these claims are immediate consequences of Theorem 44. We 
obtain the best answer by using the least analysis estimate as guaranteed by 
Theorem 45. 

Remark 50. Numerous type systems for ambient calculi deals with communi- 
cation and much of the work is based on the original type system by Cardelli 
and Gordon [14] including type systems for Boxed Ambients [9,8,21,26]. Further- 
more, some type systems incorporates information about mobility (e.g. [11,12]), 
which is also the case for Merro and Sassone’s recent type system [26] for Boxed 
Ambients. 

The type system of [26] checks whether exchange types of send and receive 
are compatible both for local and non-local communication. If any pairs of com- 
munications within a process are incompatible the process does not type check. 
In comparison, our OCFA analysis will analyse any process; as such, our OCFA 
analysis is closer to soft typing. The information conveyed by the exchange types 
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is, in essence, similar to the content of the C component of our OCFA analysis as 
described in the section above. A notable difference is that [26] forbids commu- 
nications of different arities within the same ambient. This restriction is present 
in many type systems for ambient calculi and probably goes back to the type 
system of [14]. 

Also the type system of [26] incorporates mobility types that for a given 
ambient n gives the set of other ambients in which n is allowed to occur; this 
is similar to the X component of our OCFA analysis. All types are ordered by a 
subtyping relation that allows to say that some types are ’’better” than others 
and to define a best type. Though listed as work-in-progress, they do not provide 
a type inference algorithm so they cannot automatically calculate the mobility 
and communication behaviour of a given process. □ 



6 Conclusion 

Mobile Ambients and their variants have established themselves as a useful class 
of process algebras in which to study mobility. Our first aim was to extend the 
calculus to express discretionary access control in a manner compatible with 
the classical studies of operating systems; we achieved this goal by developing 
the Discretionary Ambients (and thereby generalising the Safe Ambients). Our 
second aim was to extend the calculus to express mandatory access control for 
confidentiality as well as integrity; we achieved this goal by modifying the seman- 
tics to enforce the checks of the reference monitor. Our third aim was to show 
that cryptographic key exchange protocols could be coded rather naturally in 
Boxed Ambients where we make use of the more general communication primi- 
tives of Boxed Ambients over those of Mobile Ambients; as far as we are aware 
this is the first treatment of key exchange protocols in a calculus for mobility. 

Throughout we have defined the semantics and developed OCFA or ICFA 
analyses for the calculi studied. They could be implemented in our Succinct 
Solver by re-expressing the specification in a fragment of Alternation-free Least 
Fixed Point Logic (ALFP). Except for Boxed Ambients we could guarantee a 
worst-case complexity being a polynomial of a low degree; for Boxed Ambients 
the degree of the polynomial is proportional to the nesting depth of ambients 
in the original process (and hence exponential to the size of the process in the 
worst case). 

We believe that our Flow Logic approach to analysis gives us a number of con- 
veniences. We share with type systems the convenience of separating specifica- 
tion from implementation thereby obtaining a conceptually cleaner formulation 
of the analysis that interacts well with semantic correctness and state-of-the-art 
techniques for efficient implementation. But unlike most type systems based on 
subtyping we achieve polynomial time complexity for most of the analyses of 
interest. 

Perhaps more importantly the logical or constraint-based nature of our ap- 
proach lead us to the formulation of “hardest attackers”: a finite process char- 
acterising all possible malicious processes (somewhat in the manner of hard 
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problems for a given complexity class). The key element in our success is that 
we limit our attention to the finitary world of the static analysis. In the original 
development [31,30] we considered the firewall described in [13]. Here only agents 
knowing the required passwords are supposed to enter, and it is shown that all 
agents in a special form will in fact enter. However, it is at least as important to 
ensure that an attacker not knowing the required passwords cannot enter, since 
this presents a useful technique for screening a system against attackers. This 
is achieved using the “hardest attacker” [31,30]. We conjecture that a similar 
development may be possible for the key exchange protocols considered in Sub- 
section 5.2; a preliminary study for protocols expressed in the LySa-calculus is 
reported in [5]. 
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